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About This Guide 


IMPORTANT: The Virtual Office (VO) 1.5 product and associated patches are not included in OES 
SP2. However, version 1.6.1 updates of the product for both OES Linux and OES NetWare are 
available on the Web. 


For more information, see “Virtual Office” on page 22. 


This guide 
* Describes Novell® Open Enterprise Server (OES) software. 
* Provides planning and implementation instructions for each OES service. 
* Focuses on getting started with the file services, print services, etc., in OES. 


It doesn't contain detailed information about configuring and maintaining OES services, but it does 
contain helpful links to other service-specific administration guides and documentation. 


Audience 


This guide is designed to help network administrators 


* Understand OES services prior to installing them. 
* Make pre-install planning decisions. 
* Understand installation options for each platform. 


* Implement the services after they are installed. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with OES. To contact us, use the User Comments feature at the bottom of any page in the 
online documentation. 


Documentation Updates 


Changes made to this manual since the initial product release are summarized in Appendix H, 
"Documentation Updates," on page 261. 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol @, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms, or a forward slash for 
other platforms, the pathname is presented with a forward slash to reflect the Linux* convention. 
Users of platforms that require a backslash, such as NetWare®, should use backslashes as required 
by the software. 
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Start Here 


This section contains the following sections: 


Chapter 1, “What's New,” on page 19 

Chapter 2, “Welcome to Open Enterprise Server,” on page 27 

Chapter 3, “Planning Your OES Implementation,” on page 33 

Chapter 4, “Getting and Preparing OES Software,” on page 49 

Chapter 5, “Installing OES,” on page 55 

Chapter 6, “Upgrading to OES,” on page 61 

Chapter 7, “Migrating/Consolidating Existing Servers and Data,” on page 63 
Chapter 8, “Updating/Patching OES Servers,” on page 65 

Chapter 9, “Adding OES Services to OES Servers,” on page 67 


Chapter 10, “Implementation Caveats,” on page 69 


Start Here 
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What's New 


This section provides the following information: 


* Section 1.1, "What's New in This Guide,” on page 19 
* Section 1.2, “Major Enhancements in the Support Packs," on page 19 


* Section 1.3, “Links to What's New Sections,” on page 25 


1.1 What’s New in This Guide 


The following sections have been added or updated. 


1.1.1 NetWare/Linux Command Map 


This is now located in a separate guide—Novell OES SP2 Linux Tips for NetWare Administrators. 


1.2 Major Enhancements in the Support Packs 


The following sections outline the major enhancements in each support pack. 


* Section 1.2.1, “NetWare 6.5 Support Pack 6,” on page 19 
* Section 1.2.2, “OES Support Pack Two,” on page 20 
* Section 1.2.3, “OES Support Pack One,” on page 22 


1.2.1 NetWare 6.5 Support Pack 6 


NetWare 6.5 Support Pack 6 has replaced the Support Pack 5 in the OES Support Pack 2 product. 


The following are added to previous NetWare 6.5 enhancements starting with SP6. 


“Novell Audit 2.0.2 Free Update Available” on page 19 
“iManager 2.6" on page 19 


“Support for Server Hardware with No PS/2 Keyboard Port” on page 20 


“Daylight Saving Changes” on page 20 


Novell Audit 2.0.2 Free Update Available 


We recommend that you download and install Novell Audit 2.0.2 Starter Pack from the Novell 
Download Web site (http://download.novell.com/index.jsp). 


Although updates to Novell Audit 1.0x are included in SP6, Novell Audit 1.0 is no longer supported 
and has been removed from the installation options starting with the release of NetWare 6.5 SP6. 


iManager 2.6 


If iManager 2.5 is installed on your NetWare server, and you apply NetWare 6.5 Support Pack 6, 
iManager and its associated plug-ins are automatically updated to version 2.6. For more information 
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about iManager 2.6, see the iManager 2.6 Documentation (http://www.novell.com/documentation/ 
imanager26/index.html). 


If you are using iManager 2.02, imanager is not upgraded. 


Support for Server Hardware with No PS/2 Keyboard Port 


Support for keyboard polling is added in NetWare 6.5 SP6 to accommodate new machines that lack 
a PS/2 keyboard port. NetWare can now be installed and run before the USB keyboard drivers are 


loaded. 
Daylight Saving Changes 


Starting in 2007, many time zones in the United States will change the Daylight Saving start date to 
the second Sunday in March and the end date to the first sunday in November. 


Newly installed NetWare 6.5 SP6 servers include the Daylight Saving changes for those time zones 
that are adopting the new dates. 


Existing NetWare servers are unaffected by the application of Support Pack 6. 


Novell plans to release a separate utility (DSTshift) prior to 2007 that you can use to automatically 
adjust the start and end dates on existing NetWare 4.x, 5.x, and 6.x servers. Alternatively, you can 
adjust the settings manually at the server console and by editing the autoexec.ncf file. 


1.2.2 OES Support Pack Two 


The following enhancements are included in OES SP2. 


“iFolder 3.1” on page 20 


"iPrint" on page 21 

* "NCP Server for Linux" on page 21 

* "NetWare" on page 21 

* *Novell Cluster Services (Linux)" on page 21 

* *Novell Cluster Services (NetWare)" on page 21 

* “Novell Remote Manager (NRM) (Linux)" on page 21 

* *Novell Remote Manager (NRM) (NetWare)" on page 21 
“OES Linux Install” on page 21 


* "Storage Management Services (SMS)" on page 21 
“Virtual Office” on page 22 


iFolder 3.1 


* iFolder Client: Now includes localized help. 


* Login Support: For common name or e-mail name has been added. The option chosen applies 
to all users. 
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iPrint 


e iprintemd (Linux client) Renamed to iprntemd: Options for Linux and Windows are more 
similar so they can be used more efficiently in login scripts. 


* Low Security Client: Is now the default on the iPrint Printer List Web page. 
NCP Server for Linux 


* DOS Archive Bit: Can now be set on non-NSS NCP volumes on Linux. 
* Inherit POSIX Permissions: Is now available on non-NSS NCP volumes on Linux. 


* Cross-Protocol Locking: Is now supported. For example, users can access files from Samba 
and an NCP client. Applications that support file sharing modes now work correctly. 


NetWare 


* Available Memory Monitoring: Novell Remote Manager lets you set lower thresholds than 
were previously supported. 


Novell Cluster Services (Linux) 


Choosing a Device for the SBD Partition: Is done from a list rather than requiring a manual 
entry. 


iManager Cluster Option Names: Are changed to make cluster configuration and 
management easier. 


Direct Cluster Upgrading from NetWare 6.0: Is now supported. 


Novell Cluster Services (NetWare) 


* iManager Cluster Option Names: Are changed to make cluster configuration and 
management easier. 


Novell Remote Manager (NRM) (Linux) 


* File System Support: Lets you view the free space on any mounted physical file system, 
create inventory reports, and perform actions on the files systems. 


* Network Discovery Page: Lets you scan a host and its ports to discover services. 
Novell Remote Manager (NRM) (NetWare) 


* Health Monitoring: Has been enhanced to include Faulted Address Space Count monitoring 
and alerts, alert-specific headings in e-mail notifications, and improved Available Memory 
monitoring. 


OES Linux Install 


* SLES 9 SP3: Is included 
* Red Carpet? Graphical User Interface (GUD): Is supported. 


Storage Management Services (SMS) 


* Backup and Restore of Extended Attributes: Is supported in VFS systems. 
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e UTF8-Based Trustee Migration: Is supported for the Server Consolidation and Migration 
Toolkit. 


Virtual Office 


The Virtual Office (VO) product and associated patches are not included with OES SP2. However, 
version 1.6.1 updates of the product for both OES Linux and OES NetWare are available on the Web 


You can use these updates to either upgrade an existing VO installation or an OES server to version 
1.6.1 or to perform a new installation of VO 1.6.1. 


To obtain the update, see the Web page for each platform: 


* OES Linux (http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973717.htm) 
* OES NetWare (http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973716.htm) 


1.2.3 OES Support Pack One 


The following enhancements are included in OES SP1 and later. 


* “iFolder 2.1” on page 22 

e “iFolder 3.1" on page 22 

* "jPrint" on page 23 

* "Linux User Management (LUM)" on page 23 
* “MySQL” on page 23 

* "Native File Access Protocols" on page 23 

* "NCP Server for Linux" on page 23 

* "NetWare" on page 23 

* "Novell Client for Linux" on page 24 

* “Novell Cluster Services (Linux)” on page 24 

* “Novell Remote Manager (NRM)” on page 24 

* “Novell Storage Services (NSS) on Linux" on page 24 
* “OES Install” on page 25 


* "Server Consolidation and Migration Toolkit" on page 25 


* "SUSE Linux Enterprise Server 9" on page 25 
“Virtual Office" on page 25 


iFolder 2.1 


* Novell Cluster Services: Now fully supported. 


iFolder 3.1 


* The iFolder 3.1 Product: Now included and integrated with the OES Linux installation. 
(Novell 9 iFolder? 3 is not supported on the NetWare® platform.) 
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iPrint 
e Default Printer: Now an option when installing an iPrint printer on Windows™. 


* Printer List Web Page: Can now be sorted. 


* Secure Printing from the Linux Client: Now available to both OES Linux and OES NetWare 
servers. 


* Windows Driver Profiles: Now supported on OES Linux servers. 


Linux User Management (LUM) 


iManager Interface: Lets you enable multiple users and groups for Linux and perform other 
management tasks more easily. 


Enable Users for Linux: Lets you also enable an existing eDirectory™ group for Linux or 
create a new Linux-enabled group to which the users are assigned. 


Enable Groups for Linux: Lets you enable the group and the users that already belong to it at 
the same time. 


User Creation Process Flow: User creation, Linux-enabling of eDirectory users, and Samba- 
enabling of Linux users are now three separate processes in iManager. This is required because 
ofthe new management capabilities. 


Associating the UNIX Config Object with a Linux-Enabled Group: No longer supported 
because multiple UNIX* Workstation objects can now be associated with Linux-enabled 
groups. 


MySQL 


e Autoclose Option: Added to MySQL* clients. 
* JDBC Connector and phpMyAdmin: New versions are added. 
* Version: Updated to 4.0.24. 


Native File Access Protocols 


* SMB Signing: Support has been added to prevent man-in-the-middle attacks and provide 
secure communications between clients and servers. 


NCP Server for Linux 


* Moving Files: Now supported between NCP™ volumes. For example, you can move a file 
from an NCP volume on NSS to an NCP volume on a native Linux file system. Trustee rights 
to files are maintained. However, file attributes unique to NSS, such as those associated with 
quotas and salvaging, are lost if the target volume is not NSS. 


* NSS File Attributes: Can now be set on NSS volumes from an NCP client. 
* Opportunistic Locking Levels 1 and 2: Now supported 


NetWare 


* Clear Console Command History: Now enabled through the F10 key. This also disables the 
command history. 


* F1 Help: Now available on the main server console screen. 
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Installation: No longer distinguishes OES from Support Packs. iManager 2.5, QuickFinder, 
and Virtual Office 1.5 are the only version choices available. 


Module Load Time: Added to the information displayed by the modules console command. 
You can now see exactly when a given module was loaded. The same information is available 
in Novell Remote Manager, where you can sort the module list by load time to see which 
modules were loaded most recently. 


Programming-Level Support: Added for fork() and exec() for use by several cross-platform 
modules, such as BASH and Perl. 


Quick-Save Console Buffer: Can now be saved to a text file. See the F1 help screen at the 
NetWare console for details. 


Novell Client for Linux 


* Novell Client for Linux: Now available and supports NCP access to OES NetWare and OES 
Linux (with the NCP server installed and running). 


Novell Cluster Services (Linux) 


Cluster Resource Templates: Added MySQL and iFolder 2.1x. 
Encrypted NSS Volumes: Supported. 
High Availability Features: Include improved NIC channel bonding and SAN multipath IO. 


Maximum Cluster Resource Script Lengh Limits: Eliminated. 
Mirrored SBD Partitions: Supported. 


Rolling Cluster Conversion: Expanded to include both NetWare 6.0 and NetWare 6.5 
clusters. 


STONITH Support: Added to let you shut down other nodes. 


Novell Remote Manager (NRM) 
* Default Settings: Can now be restored for any given SET parameter by clicking a button in the 
interface. 


* Language Support on OES Linux: Modified so that the browser's language is used rather 
than the server's language. 


* Open File Control: The main page now includes a list of open files per volume, which links 
directly to the list of open files. 


* *Remembered" Collapsible Categories: Lets you display the Novell Remote Manager 
features you use most often and hide the others. 
Novell Storage Services (NSS) on Linux 


* Encrypted Volumes: Can now be created. 

* Hardlinks: Now supported. 

* Metadata Migration Utility: Now available. 

* New Media Format: Supports enhanced hard link capability. 
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* Performance Improvements: NSS performance is significantly improved. Samba access to 
an NSS volume is now faster than to traditional Linux volumes, such as EXT3 or Reiser when 
the number of directories and files is greater than 2,000. 


* Software RAID Support: Now included. 
OES Install 


The Auto YaST GUI now includes OES components in the Software > Package Selection page. 


Server Consolidation and Migration Toolkit 


The Server Consolidation Utility and the Migration Wizard have been combined into a single 
toolkit. You must now download and run the toolkit to access either the utility or the wizard. 


SUSE Linux Enterprise Server 9 


* SP2: Automatically installed with (and required by) OES Linux. 


Virtual Office 


* Team File Size Management: Lets you restrict the maximum amount of space that any team 
can use. This can be set per team or globally. 


* Version 1.6: Now the only version included. 


1.3 Links to What's New Sections 


The following table provides links to the What's New sections in the documentation for all OES 
products. 


Product Link to What's New Section 
Archive and Version Services 2.0 Administration Guide 
User Guide 
Identity Manager 3.0.1 Installation Guide 
iFolder 3.x Administration Guide 
User Guide 
iManager 2.5 Administration Guide 
Install Guide 
iPrint OES Linux Administration Guide 


OES NetWare Administration Guide 


Native File Access Protocols Administration Guide 
NCP Server for OES Linux Administration Guide 
NetStorage OES Linux Administration Guide 


OES NetWare Administration Guide 
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Product 


Novell Client™ 


Link to What's New Section 


Windows Administration Guide 


Novell Cluster Services 


Administration Guide 


Novell Remote Manager 


OES Linux Administration Guide 


OES NetWare Administration Guide 


Novell Storage Services™ (NSS) 


Administration Guide 


Nsure® Audit 


Administration Guide 


OES Linux 


Installation Guide 


OES NetWare 


Memory Management Administration Guide 


Server OS Administration Guide 


QuickFinder™ 4.0 


Administration Guide 


RConsoleJ (NetWare) 


Administration Guide 


Virtual Office 
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Administration Guide 


Welcome to Open Enterprise 
Server 


Novell® Open Enterprise Server (OES) includes all the network services that organizations 
traditionally expect from Novell. 


Figure 2-1 OES Overview 


Novell Network Services on NetWare and Linux 


Novell Network Services 


Identity and Directory Infrastructure End User 


* eDirectory e Auditing e IPX and TCP/IP * Access 
* Identity Management e Authentication e iSCSI e Collaboration 
* LDAP (eDirectory) e Backup e Licensing * File 
e Linux Access for e Clustering and e Search e Print 
eDirectory Users Failover e Security * White Pages 
* Databases e Time Synchronization 
e DNS, DHCP, Open SLP e Web and Application 
e File Systems and 
Storage 


OES NetWare OES Linux 


This guide contains brief but crucial information and insights to help you successfully implement 
OES. 


If you want to quickly grasp basic OES concepts, scan through the following overviews: 


More detailed overviews are contained in the individual service sections in this guide. 
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NOTE: For a list of OES services by platform, see “Services Supported on Each Platform” on 
page 249. 


2.1 Server Platforms 


You can deploy OES services on either OES NetWare? (NetWare 6.5 SP3 or later) or SUSE® Linux 
Enterprise Server 9 (SLES 9) server. You can choose to install OES on a new server or upgrade an 
existing NetWare 6.5 or SLES 9 server to run OES services. The OES install automatically upgrades 
NetWare 6.5 with Support Pack 4 and SLES 9 with Support Pack 2 if the Support Packs were not 
previously installed. 


As stated in Figure 2-2, each platform offers unique strengths. Novell OES offers a range of reliable, 
proven network services. 


Figure 2-2 OES Server Platforms 


Open Enterprise Server 


OES Services 


* Identity and Directory 


e Infrastructure 
* End User 


NetWare 6.5 


Novell's network-optimized, 
advanced enterprise services 


SLES 9 


Novell's open source, Linux 
platform, offering 


platform, offering s 
e An open application 


environment. 


e Reliability. 
e Scalability. 


e Flexibility. 


* Security. e Versatility. 


Because Novell OES services run on both NetWare and 
SLES 9, you can 


Choose the platform mix that best serves your 
organization. 


Combine open source and flexibility with enterprise- 
class, reliable, secure networking services. 


Rely on Novell Support to help you keep your network 
running the way your organization expects. 


IMPORTANT: The OES documentation set includes the SLES 9 Administration Guide, which 
contains valuable information regarding SLES 9 and its standard services. The OES Documentation 
Web site contains links to much of the information in the SLES 9 guide. 


Be aware that some instructions in the SLES 9 guide, such as the installation sections, are for 
installing and running a standard SLES 9 server but not for installing a SLES 9 server and running 
OES services. 


You should always consult the information in the OES manuals and guides first when working with 
OES services on SLES 9. 
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2.2 Management Interfaces and Services 


As shown in Figure 2-3, OES provides a rich set of service- and server-management tools, including 
browser- and server-based interfaces that help you implement and maintain your network. 


Access to most of these management interfaces is controlled through eDirectory™. However, a few 
interfaces, such as YaST on SLES 9 servers, require local authentication. 


For more information, see Chapter 14, “OES Utilities and Tools,” on page 91. 


Figure 2-3 Management Interfaces and Services 
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2.3 Identity and Directory Services 


Storing and managing network identities in directory services has become a fundamental 
expectation for networking. 


2.3.1 eDirectory 


In the simplest terms, Novell eDirectory is a tree structure containing a list of objects (or identities) 
that represent network resources, such as 

* Network users. 

* Servers. 

* Printers. 


* Applications. 
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eDirectory is designed to provide easy, powerful, and flexible management of network resources 
(including eDirectory itself) in ways that no other directory service can match. You can administer 
eDirectory using the same browser-based tools on both OES platforms. 


For more information, see Part IV, “Identity and Directory Services,” on page 105. 


Figure 2-4 eDirectory Overview 
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2.3.2 Identity Manager 3.0.1 Bundle Edition 


OES includes Identity Manager 3.0.1 Bundle Edition with the drivers required to let you 
synchronize identity information stored in Active Directory* Domains, NT Domains, and 
eDirectory trees. For more information, see Section 16.1, "Using Identity Manager 3.0.1 Bundle 
Edition," on page 111. 


2.4 Infrastructure Services 


OES network services require a number of underlying infrastructure services to support such things 
as 

* Authentication of those seeking access to the network and its services. 

* Backup services to prevent data loss. 

* Network storage of end user files and other critical data. 


* Support for and management of all the required network protocols. 
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Figure 2-5 illustrates that OES includes all the network infrastructure services that are required to 
meet these and other network service needs. 


Figure 2-5 Infrastructure Services 
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2.5 End User Services 


Ultimately, networks exist to provide services to end users, and Novell is best known for the 
anywhere-accessible end user services it enables you to provide on your network. 


Figure 2-6 on page 32 illustrates the services that OES can provide to network users and the 
methods they can use to access those services. These services are explained in greater detail in the 
other sections of this guide. 
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For service access information, see “Quick Reference to OES User Services” on page 247. 


Figure 2-6 OES User Services 
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Planning Your OES 
Implementation 


As you plan which services to install on which OES platform, you probably have a number of 
questions. The following sections are designed to help answer your questions and alert you to 
planning steps you should follow for a successful OES implementation. 

* Section 3.1, “Technologies Introduced in OES,” on page 33 

* Section 3.2, “What Services Are Included in OES?,” on page 33 

* Section 3.3, “Which Services Do I Need?,” on page 36 

* Section 3.4, “Which OES Platform Is Best for My Services?,” on page 37 


* Section 3.5, "Plan for eDirectory,” on page 42 


Section 3.6, "Prepare Your Existing eDirectory Tree for OES," on page 42 
* Section 3.7, "Identify a Purpose for Each Server," on page 42 
* Section 3.8, "Understand Server Requirements," on page 43 


* Section 3.9, "Understand User Restrictions and Linux User Management," on page 43 


Section 3.10, *Consider Coexistence and Migration Issues," on page 43 


Section 3.11, “Understand Your Installation Options Before You Start,” on page 43 


3.1 Technologies Introduced in OES 


As you prepare to begin using OES, you should know about the following technologies introduced 
with OES: 


* Linux User Management (LUM): Technology that lets eDirectory™ users function as local 
POSIX* users on Linux servers. For more information, see “Linux Access for eDirectory Users 
(LUM)" on page 117. 


* OpenWBEM: A set of management and Internet standard technologies developed to unify the 
management of enterprise computing environments. For more information, see the 
OpenWBEM Services Administration Guide for OES. 


3.2 What Services Are Included in OES? 


* Traditional Novell Services on Both OES Platforms 


Beginning with the release of Nterprise'" Linux Services and expanding with release of OES, 
Novell has included Linux versions of many Novell services that have traditionally been 
available only on NetWare®. 


Critical Open Source Products on both OES Platforms 


Novell has previously ported the most well known, network-critical open source products to 
NetWare—products such as OpenSSH and the Apache Web server. These open source products 
are, of course, already available on SLES 9. Therefore, a separate Novell port to Linux is 
unnecessary. 
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Table 3-1 summarizes the services and technology support available on each platform and the 
differences in the way these services are provided. 


Although extensive, this list is not exhaustive. If you are interested in a service or technology not 
listed, or for documentation for listed services, see the A—Z List on the OES Documentation Web 
site. 


Table 3-1 OES Services Available on OES LINUX and OES NetWare 


Service OES LINUX OES NetWare 

AFP (Apple File Protocol) No Yes - NFAP 

Apache Web Server Yes - Standard Linux Yes - NetWare port of open 
source product 

Archive and Version Services No Yes 

(Novell) 

Backup (SMS) Yes Yes 

Clustering Yes Yes 

CIFS (Windows File Services) Yes - Samba Yes - NFAP 

DFS (Novell Distributed File No Yes 

Services) 

DHCP Yes Yes 

DNS Yes Yes 

eDirectory 8.7.3 Yes Yes 

eDirectory Certificate Server Yes Yes 

eGuide (White Pages) Yes Yes 

FTP Server Yes Yes 

Health Monitoring Services Yes Yes 

Identity Manager Yes Yes 

iPrint Yes Yes 

IPX™ (Internetwork Packet No Yes 


Exchange™) from Novell 


iSCSI Yes Yes 

LDAP Server for eDirectory Yes Yes 

MySQL Yes - Standard Linux Yes - NetWare port of open 
source product 

NCP™ Server Yes Yes 

NetStorage Yes Yes 

NFS Yes - Native to Linux Yes - NFAP 
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Service OES LINUX OES NetWare 
NICI (Novell International Yes Yes 
Cryptography Infrastructure) 
NMAS™ (Novell Modular Yes Yes 
Authentication Services) 
Novell Client™ for Windows and Yes - through NCP Server for Yes 
Linux support Linux or Novell Samba 
Novell Cluster Services™ Yes Yes 
Novell iFolder® 2.x Yes Yes 
Novell Licensing Services No - See Section 28.3, “OES Yes 
Linux Doesn’t Support NLS,” on 
page 157. 
NSS (Novell Storage Services™) Yes Yes 
Nsure® Audit Not included with OES. However, Yes 
the Novell Audit 2.0 Starter pack 
is available for download at no 
cost on Novell.com (http:// 
www.novell.com/downloads). 
NTPv3 Yes Yes 
OpenSSH Yes - Standard Linux Yes - NetWare port of open 


source product 


PAM (Pluggable Authentication 
Modules) 


Yes - eDirectory enabled 


No - eDirectory authentication is 
pervasive on NetWare. 


Pervasive.SQL 


No (Available at http:// 
www.pervasive.com) 


Yes 


PKI (Public Key Infrastructure) 


Yes - eDirectory 


Yes - eDirectory 


Printing See iPrint. See iPrint. 

QuickFinder™ Yes Yes 

RADIUS Yes - Novell RADIUS Yes - Novell RADIUS 

Samba Yes - Novell customized No - See Section 35.1.2, “Native 
File Access Protocols,” on 
page 206. 

Search (QuickFinder) Yes Yes 

SLP Yes - SLES 9 Yes - Novell 

Software RAIDS (NSS volumes) Yes (0 and 1) Yes (0, 1, 5) 

Storage Management Services™ Yes Yes 

(SMS) 

TCP/IP Yes Yes 

Timesync NLM™ No - See “Time Synchronization” Yes 


on page 169. 
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Service OES LINUX OES NetWare 


Tomcat Yes - Standard Linux Yes - NetWare port 
NetWare Traditional File System No Yes 

Virtual Office (Collaboration) Yes Yes 

WAN Traffic Manager (for No Yes 

eDirectory) 


3.3 Which Services Do | Need? 


OES probably includes services that you don’t know about that could greatly enhance the business 
value of your network. 


You are probably aware of some of the file and print services included in OES, but you might not 
know that 


* OES includes a powerful search engine (QuickFinder) that can index local and Web content, 
providing you with a search appliance at no additional cost. 

* Users running the Novell Client can map drives to locations on an OES Linux server running 
the NCP Server for Linux. 


We recommend that you review the brief service overviews included at the beginning of each 
service section in this guide to get a full picture of the solutions that OES offers. 


3.3.1 End User Services 


* “Access” on page 187 
“Collaboration (Virtual Office)” on page 201 


“File Services” on page 205 


“Print Services” on page 233 
“White Pages (eGuide)” on page 239 


3.3.2 Identity and Directory Services 


* “eDirectory” on page 107 

e “Identity Management Services" on page 111 

* "LDAP (eDirectory)" on page 115 

* “Linux Access for eDirectory Users (LUM)" on page 117 


3.3.3 Infrastructure Services 


* "Auditing" on page 129 
* "Authentication" on page 131 
* “Backup” on page 135 


* “Clustering and Failover” on page 137 
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“Databases” on page 139 

“DNS, DHCP, and OpenSLP” on page 141 

“File Systems and Storage Services” on page 143 
"[PX and TCP/IP” on page 153 

“iSCSI” on page 155 


“Licensing” on page 157 


“Search” on page 159 


“Security” on page 161 


“Time Synchronization” on page 169 


“Web and Application Services” on page 183 


3.3.4 Exploring OES Services 


We also recommend that you explore the services by following the step-by-step instructions 
provided in the OES Lab Guides: 


* Lab Guide for OES SP2 Linux 
* Lab Guide for OES NetWare 


3.4 Which OES Platform Is Best for My Services? 


You have already seen that there are differences in the way OES provides services on SLES 9 and 
NetWare 6.5 (See Section 3.2, “What Services Are Included in OES?,” on page 33.) To help you 
better assess which OES platform can best meet your network service needs, you should consider 
the inherent platform strengths of Linux and NetWare and the differences in the service offerings on 
each platform. 


3.4.1 Platform Strengths 


Although both OES platforms provide a full set of network services, there are differences in the 
NetWare and Linux platforms. 


Table 3-2 Platform Comparison 


OES NetWare SUSE LINUX Enterprise Server 9 
Brief description Novell's award-winning network- Novell's award-winning Linux 
optimized operating system. operating system. 
Industry-recognized strengths * Reliability * Open application 
- Scalability environment 
- Security * Flexibility 
* Versatility 
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OES NetWare SUSE LINUX Enterprise Server 9 


Business value propositions NetWare excels when the user SLES 9 is well suited as an 
population and management application server running Linux- 
burden is highly distributed: based solutions: 

* Increases network * Runs thousands of 
availability. programs available from the 


* Optimizes manageability. open source community. 


* Delivers OES file and print 


* Enhances user productivity. . 
services. 


* Runs Apache, Tomcat, 
MySQL, and other open 
source applications. 


* Hosts open source Web 
Servers, proxy servers, and 
mail servers. 


3.4.2 Service Differences on the OES Platforms 


In addition to considering the platform strengths, you should understand the differences in the 
features available when services are running on Linux or NetWare. The following examples 
illustrate this point. 


* DHS/DHCP: NetWare DNS/DHCP services are far richer than the basic DNS/DHCP 
functionality available in the standard Linux implementation. 


Many organizations find Linux DNS/DHCP services to be completely adequate. On the other 
hand, some organizations—especially those that currently leverage the advanced services 
available on NetWare—might be frustrated with the Linux implementation of DNS/DHCP and 
find it inadequate for their needs. 


* Novell Storage Services (NSS): When deploying NSS, you might want support for Novell 
Distributed File Services (DFS) so you can move or split NSS volumes. This feature is 
currently available only on NSS running on NetWare. 


You should fully investigate any service differences between platforms before you finalize your 
service/platform choices. 


It is beyond the scope of this guide to explain every point that might be important to you as you plan 
your network services. For this level of information, you should consult the service-specific manuals 
and guides provided in the OES online documentation (http://www.novell.com/documentation/oes). 


To help you, Table 3-3 indicates which services are the same, contains links to documentation 
sections that discuss service differences, and shows which services are unavailable on a given 
platform. 


Table 3-3 Information on Service Differences between the OES Platforms 


Service Explanations and Links 


Apache Web Server Administration Instance vs. Public Instance on NetWare (http:// 
www.novell.com/documentation/oes/web_apache/data/ 
aipcu6x.html#aipcu6x) 


What's Different about Apache on NetWare (http://www.novell.com/ 
documentation/oes/web apache/data/ail8hvj.html£ailehvj) 
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Service 


Archive and Version Services 


Explanations and Links 


This Novell product is not supported on Linux. 


Backup (SMS) 


SBCON is not supported on Linux. 


Clustering 


“Product Features” in the OES Novell Cluster Services 1.8.2 
Administration Guide for Linux 


“Product Features” in the OES Novell Cluster Services 1.8.2 
Administration Guide for NetWare 


DFS (Distributed File Services) 


Not supported in NSS for Linux. 


DHCP “DHCP” in the SUSE LINUX Enterprise Server 9 Administration 
Guide 
“Planning a DHCP Strategy” in the Novell DNS/DHCP Services for 
NetWare Administration Guide for OES 

DNS “DNS - Domain Name System” in the SUSE LINUX Enterprise 


Server 9 Administration Guide 


“Planning a DNS Strategy” in the Novell DNS/DHCP Services for 
NetWare Administration Guide for OES 


eDirectory 8.7.3 


No functional differences. 


eDirectory Certificate Server 


No functional differences. 


eGuide (White Pages) 


No functional differences. 


FTP Server 


“Features of the NetWare FTP Server’ in the NetWare FTP Server 
Administration Guide for OES 


Health Monitoring services 


No functional differences.“Monitoring Server Health” 


Identity Manager 


No functional differences. 


Novell iFolder 2.x 


No functional differences. 


Novell iFolder 3.x 


For OES SP1 Linux and later; not for OES NetWare. 


iPrint 


“Overview” in the OES iPrint Administration Guide for Linux 


"Overview" in the OES iPrint Administration Guide for NetWare 


IPX (Internetwork Packet 
Exchange) 


Novell doesn't provide this on Linux. 


iSCSI 


Linux-iSCSI Project on the Web (http://linux-iscsi.sourceforge.net) 


"Overview" in the iSCS/ 1.1.3 Administration Guide for NetWare 6.5 


LDAP Server for eDirectory 


No functional differences. 


MySQL MySQL.com on the Web (http:/Awww.mysql.com) 
“Overview: MySQL” in the MySQL for NetWare Administration 
Guide for OES 

NCP Server “Benefits of NCP Server” in the NCP Server for Linux Administration 


Guide 
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Service 


NetStorage 


Explanations and Links 


NetStorage on Linux offers connectivity to storage locations using 
the CIFS/SMB, NCP, and SSH protocols. NetWare uses only NCP. 


These and other differences are summarized in “NetStorage” on 
page 208. 


NICI (Novell International 
Cryptography Infrastructure) 


No functional differences. 


NMAS (Novell Modular 
Authentication Services) 


No functional differences. 


Novell Client support (Linux and 
Windows) 


No functional differences with NCP Server for Linux installed on 
OES Linux. 


Novell Cluster Services 


“Product Features” in the OES Novell Cluster Services 1.8.2 
Administration Guide for Linux 


“Product Features” in the OES Novell Cluster Services 1.8.2 
Administration Guide for NetWare 


Novell Licensing Services 


Not available on Linux. 


Novell iFolder 2.x 


No functional differences. 


NSS (Novell Storage Services) 


“Coexistence and Migration Issues” in the Novell Storage Services 
File System Administration Guide for OES 


Nsure Audit Not available on Linux. 
NTPv3 Chapter 31, “Time Synchronization,” on page 169 
OpenSSH “Functions Unique to the NetWare Platform” in the OpenSSH 


Administration Guide 


PAM (Pluggable Authentication 
Modules) 


Not available on NetWare. Authentication is fully integrated with 
eDirectory. 


Pervasive.SQL 


Pervasive.SQL on the Web (http://www.pervasive.com/support/ 
technical/online_manuals.asp) 


PKI (Public Key Infrastructure) 


No functional differences. 


Printing See iPrint. 

RADIUS No functional differences (NMAS). 

QuickFinder See Search. 

Samba Linux solution for CIFS file access. NetWare provides CIFS access 


through the Native File Access Protocol (NFAP) functionality. 


For more information, see the Samba Administration Guide for OES 
Linux SP2. 
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Service 


Search (QuickFinder) 


Explanations and Links 


When indexing a file system, the QuickFinder engine indexes only 
what it has rights to see. 


On NetWare, it has full access to all mounted volumes. On Linux, it 
has rights to only the files that the noviwww user in the www group 
has rights to see. 


For more information, see "Security Characteristics" and 
“Generating an Index For a Linux-mounted NSS Volume" in the 
QuickFinder Server 4.2 Administration Guide. 


Server resource management 
(eDirectory) 


eDirectory on NetWare manages server resources. For example, 
you can view and modify file system information, manage files and 
folders on NetWare volumes, salvage and purge deleted files, 
allocate volume space, and create objects to facilitate file 
management. See "Managing Objects" in the Novell eDirectory 
8.7.3 Administration Guide. 


The current version of eDirectory for Linux does not support 
management of server resources. 


SLP (Novell SLP) (OpenSLP) 


OpenSLP Services on Linux 


Implementing the Service Location Protocol (http://www.novell.com/ 
documentation/edir87/edir87/data/a2iiimc.html) 


NetWare uses Novell SLP by default, which provides 
synchronization between Directory Agents (DAs) that are in the 
same eDirectory context. This provides service information beyond 
the local network. 


Alternatively, you can implement OpenSLP for eDirectory. Be 
aware, however, that DA synchronization is not supported in 
OpenSLP. 


OpenSLP on Linux is not customized to provide DA 
synchronization. 


Software RAIDS 


Understanding Software RAID Devices 


Storage Management Services 
(SMS) 


No functional differences. 


TCP/IP No functional differences. 

Timesync Not available on Linux, but NTPv3 is supported on both OES 
platforms. 

Tomcat Administration Instance vs. Public Instance on NetWare (http:// 


www.novell.com/documentation/oes/web tomcat/data/ 
ahdyran.htmi#ahdyran) 


NetWare Traditional File System 


Not available on Linux. 


Virtual Office (Collaboration) 


No functional differences. 


WAN Traffic Manager 


Not supported on Linux. 


“WAN Traffic Manager” in the Novell eDirectory 8.7.3 Administration 
Guide. 
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3.5 Plan for eDirectory 


eDirectory is the heart of OES network services and security. 


If you are installing into an existing tree, be sure you understand the information in Section 15.3, 
“eDirectory Coexistence and Migration,” on page 107. 


If you are creating a new eDirectory tree on your network, you must do some additional planning 
before you install the first server into the tree. The first server is important for two reasons: 
* You create the basic eDirectory tree structure during the first installation 


* The first server permanently hosts the Certificate Authority for your organization 
To ensure that your eDirectory tree meets your needs, take time to plan the following: 


* Structure of the eDirectory tree: A well-designed tree provides containers for servers, users, 
printers, etc. It is also optimized for efficient data transfer between geographically dispersed 
locations. For more information, see “Designing Your Novell eDirectory Network” in the 
Novell eDirectory 8.7.3 Administration Guide. 


Time synchronization: eDirectory requires that all OES servers, both NetWare and Linux, be 
time synchronized. For more information, see Chapter 31, “Time Synchronization,” on 
page 169. 


Partitions and replicas: eDirectory allows the tree to be partitioned for scalability. Replicas 
(copies) of the partitions provide fault tolerance within the tree. The first three servers installed 
into an eDirectory tree automatically receive replicas of the tree’s root partition. You might 
want to create additional partitions and replicas. For more information, see “Managing 
Partitions and Replicas” in the Novell eDirectory 8.7.3 Administration Guide. 


For information on these and other eDirectory planning tasks, see the Novell eDirectory 8.7.3 
Administration Guide. 


Also be aware that the OES lab guides provide a basic introduction to creating container objects as 
well as Group and User objects in eDirectory. 


3.6 Prepare Your Existing eDirectory Tree for 
OES 


If you are installing OES into an existing tree, you must use Deployment Manager (located on CDI 
[Operating System]) to see whether your tree requires any updates. 


For instructions on running Deployment Manager, see “Preparing the Network with Deployment 
Manager” in the OES NetWare Installation Guide. 


3.7 Identify a Purpose for Each Server 


Large networks usually have one or more servers dedicated to providing a single network service. 
For example, one or more servers might be designated to provide Novell iFolder file services to 
network users while other servers provide iPrint printing services for the same users. 


For smaller organizations, it is often not practical or cost effective to dedicate servers to providing a 
single service. For example, the same server might provide both file and print services to network 
users. 
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Prior to installing a new server on your network, you should identify the service or services that it 
will provide. 


3.8 Understand Server Requirements 


OES Linux and OES NetWare both have specific hardware and software requirements. 


Prior to installing OES, make sure your server machine and network environment meet the 
requirements outlined in the following sections: 
* OES Linux Server: “Preparing to Install OES Linux” in the OES Linux Installation Guide. 


e OES NetWare Server: “Meet Hardware and Software Requirements” in the OES NetWare 
Installation Guide. 


3.9 Understand User Restrictions and Linux User 
Management 


If you plan to use Linux User Management, before you accept the default PAM-enabled service 
settings, be sure you understand the security implications explained in Section 30.1.3, “User 
Restriction Limitations,” on page 163. 


3.10 Consider Coexistence and Migration Issues 


You probably already have a network that is providing services to network users. In many cases, the 
services you are currently running will influence your approach to implementing OES. In some 
cases, there are specific paths to follow so that the OES integration process is as smooth as possible. 


Novell has invested considerable effort in identifying service coexistence and migration issues you 
might face. We understand, however, that we can’t anticipate every combination of services that you 
might have. Therefore, we intend to continue developing coexistence and migration information 
after each OES product release, and we plan to update the Web-based documentation regularly with 
the newly developed information. 


Some of the most common issues are outlined in Section 5.1, “Installation/Upgrade/Migration 
Caveats,” on page 55. For information about coexistence of OES servers with existing NetWare and 
Linux networks, and for migration instructions, see the OES Coexistence and Migration Guide. 


3.11 Understand Your Installation Options Before 
You Start 


Before installing OES, you should be aware of the information in the following sections: 


* Section 3.11.1, “OES Linux Installation Overview,” on page 44 

* Section 3.11.2, “OES NetWare Installation Overview,” on page 44 

* Section 3.11.3, “You Can Install from CDs or from the Network,” on page 45 

* Section 3.11.4, “Use Predefined Server Types (Patterns) When Possible,” on page 46 
Section 3.11.5, “If You Want to Install in a Lab First,” on page 48 


Section 3.11.6, “If You Want to Install NSS on a Single-Drive Linux Server,” on page 48 
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3.11.1 OES Linux Installation Overview 


The software and network preparation processes required to install OES Linux are outlined in Figure 
3-1. 


NOTE: Chapter 4, “Getting and Preparing OES Software,” on page 49 contains instructions for 
obtaining the ISO image files and the network install script referred to in the following illustration. 


Figure 3-1 OES Linux Install Preparation 
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Preparation option. 
For detailed instructions, see “Preparing the OES Linux Files for Installation” in the OES Linux 
Installation Guide. 


Download the 

netinstall.sh script as 
instructed in the OES for Linux 
Installation Guide. 


Run netinstall.sh 
on a Linux machine 
to copy the ISOs to 
the network. 


Install OES for Linux. (Requires access to 


[root] partition.) 


3.11.2 OES NetWare Installation Overview 


The software and network preparation processes required to install OES NetWare are outlined in 
Figure 3-2. Specific instructions for the steps shown are referenced in the sections that follow. 
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NOTE: Chapter 4, “Getting and Preparing OES Software,” on page 49 contains instructions for 
obtaining the ISO image files referred to in the following illustration. 


Figure 3-2 OES NetWare Install Preparation 
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For detailed instructions, see "Installing OES NetWare" in the OES NetWare Installation Guide. 


3.11.3 You Can Install from CDs or from the Network 


As illustrated in the two previous sections, both OES Linux and OES NetWare let you install from 


CDs or from files on the network. 
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OES Linux Options 


OES Linux includes two installation options, both of which are documented in the OES for Linux 
Installation Guide. 


* CD Install: You can install using CDs obtained from a Novell Authorized Reseller, or you can 
create CDs from downloaded ISO image files. 


See “Preparing for a CD Installation” in the OES Linux Installation Guide. 


e Network Install: You can install using only the first CD if the remaining ISO files are 
available on the network. 


This option can save you from swapping CDs on the server during the installation. 


See "Preparing for a Network Installation" in the OES Linux Installation Guide. 


OES NetWare Options 


OES NetWare includes two installation options, both of which are documented in the OES for 
NetWare Installation Guide. 


* CD Install: You can install using CDs obtained from a Novell Authorized Reseller, or you can 
create CDs from downloaded ISO image files. 


See “Access the Installation Files" in the OES NetWare Installation Guide. 


* Network Install: You can install from the network if you have prepared the DOS partition with 
Novell Client software and copied the CD files to the network. 


This option can save you from swapping CDs on the server during the installation. 


See “Access the Installation Files" in the OES NetWare Installation Guide. 


3.11.4 Use Predefined Server Types (Patterns) When Possible 


Both OES platforms include predefined server installation options that install only the components 
required to provide a specific set of network services. In the OES NetWare install, these server types 
are called patterns. 


For example, if you want to install an OES server that supports a Web-based, user-configurable 
collaboration environment, you should select the Virtual Office Server server type during the OES 
installation. 


You should always choose a predefined server type if one fits the intended purpose of your server. If 
not, you can choose to install a customized OES server with the service components you need. 


Table 3-4 Linux Installation Server Types 


Predefined Server Type Description and Packages Installed 


Novell QuickFinder Server Installs a search server that lets users find the information they're 
looking for on Web sites and attached file systems. 


KDE is not installed. 
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Predefined Server Type 


Novell iFolder2 Server 


Description and Packages Installed 


Installs a server that lets mobile users access their local files from 
anywhere—online, offline, all the time. 


KDE is not installed. 


Novell Virtual Office Server 


Installs a collaboration solution that lets users be self sufficient 
with their IT needs. 


KDE is not installed. 


Novell Management Server 


Installs iManager, YaST (text-based), and the basic runtime 
system. 


KDE and graphical base system are not installed. 


Novell Print Server 


Installs a printing system that installs workstation print drivers and 
gives access to local printers and remote printers with Internet 
connections. 


KDE is not installed. 


Novell Open Enterprise Server 


The default server pattern installs the SLES 9 Default installation 
and most OES services. 


KDE is installed. 


Table 3-5 NetWare Installation Patterns 


Server Pattern 


Customized NetWare Server 


Description 


Lets you select the optional products you want on the server. 


Basic NetWare File Server 


Installs only basic NetWare with no additional products. 


Pre-Migration Server 


Creates a server that data will be migrated to at a later time using 
the Netware Migration Wizard. 


DNS/DHCP Server 


Sets up the Novell eDirectory tree for directory-enabled DNS/ 
DHCP services. 


exteNd™ J2EE* Web Application 
Server 


Installs an optimized configuration of the Novell exteNd 
Application Server. 


LDAP Server 


Installs Lightweight Directory Access Protocol (LDAP) Services for 
Novell eDirectory. 


NetWare AMP (Apache, MySQL, 
PHP, and Perl) Server 


Lets you host open source Web database applications on a 
NetWare 6.5 server. 


NetWare Backup Server 


Installs the infrastructure for backup and restore services on the 
NetWare platform. 


QuickFinder Server 


Installs a search server that lets users find the information they're 
looking for on Web sites and attached file systems. 


Network Attached Storage (NAS) 
Server 


Installs multiple-file protocol storage for your network. 
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Server Pattern Description 


Novell iPrint Server Installs a printing system that installs workstation print drivers and 
gives access to local printers and remote printers with Internet 
connections. 


Apache/Tomcat Server Installs Apache Web Server and the Jakarta-Tomcat Servlet 
Container for use in hosting dynamic, application-driven Web 
sites. 


Novell Nsure Audit Starter Pack Installs the centralized auditing service that is built into OES 
Server NetWare. 


iSCSI SAN Storage Server Turns your OES NetWare server into an iSCSI Storage Server 
(also known as an iSCSI Target). 


Novell iFolder Storage Services X Installs a server that lets mobile users access their local files from 
anywhere—online, offline, all the time. 


Management Server Installs Novell iManager 2.5 and Novell ConsoleOne® 1.3.6 
network administration software to provide a complete 
management solution for your server environment. 


Virtual Office Server Installs a collaboration solution that lets users be self sufficient 
with their IT needs. 


3.11.5 If You Want to Install in a Lab First 


Many organizations prefer to install products on smaller servers for testing in a lab prior to full 
deployment. We have created the Lab Guide for OES SP2 Linux and the Lab Guide for OES 
NetWare to walk you through the installation and exploration of all the basic OES services. 


3.11.6 If You Want to Install NSS on a Single-Drive Linux Server 
Many are interested in Novell Storage Services (NSS) running on Linux. If you plan to experiment 


with NSS on a single-drive server, be sure to follow the instructions in “Installing Linux with EVMS 
as the Volume Manager of the System Device" in the OES Linux Installation Guide. 
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Getting and Preparing OES 
Software 


This section contains instructions for getting and preparing OES software and discusses the 
following topics: 

* Section 4.1, “Do You Have Upgrade Protection?," on page 49 

* Section 4.2, “Do You Want to Purchase OES or Evaluate It First?," on page 49 

* Section 4.3, “Evaluating OES Software," on page 50 


If you have not already done so, we recommend you review the information in Section 3.11, 
"Understand Your Installation Options Before You Start," on page 43. 


4.1 Do You Have Upgrade Protection? 


If you have Novell? Upgrade Protection, you can upgrade to OES and the latest support pack free of 
charge. For more information and to start the upgrade process, do the following: 


1 Using your Novell account information, log in to the Novell Web Site (http://www.novell.com/ 
nps). 
2 Click the Customer Care icon to access the Customer Care page. 


3 Follow the instructions on the Customer Care page to obtain the upgrade to Open Enterprise 
Server and the latest support pack. 


4.2 Do You Want to Purchase OES or Evaluate It 
First? 

If you have decided to purchase OES, visit the Novell How to Buy OES Web page (http:// 
www.novell.com/products/openenterpriseserver/howtobuy.html). 


With your OES purchase, you receive 


* An activation code for enabling your OES Linux servers to receive online updates, including 
the latest support pack. 


* A pair of license files for installing OES NetWare servers. 


NOTE: After you purchase OES, OES NetWare support packs are available at no charge on the 
Novell Support Web site (http://support.novell.com/filefinder/) 


As part of the purchase process, it is important that you understand the OES licensing model. For a 
brief description, see Chapter 28, “Licensing,” on page 157. 


After completing your purchase, the installation process will go more smoothly if you understand 
your installation options for each OES platform. If you haven't already done so, be sure to review 
the information in Section 3.11, “Understand Your Installation Options Before You Start,” on 
page 43 and then skip to Chapter 5, “Installing OES,” on page 55. 
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If you want to evaluate OES prior to purchasing it, continue with the information in the next section, 
Evaluating OES Software. 


4.3 Evaluating OES Software 


This section walks you through the OES software evaluation process and discusses the following 
topics: 

* Section 4.3.1, “Understanding OES Software Evaluation Basics,” on page 50 

* Section 4.3.2, “The Evaluation Software Includes the Latest OES Support Pack,” on page 50 

* Section 4.3.3, “Downloading OES Software from the Novell Web Site,” on page 51 

* Section 4.3.4, "Preparing the Installation Media," on page 52 

* Section 4.3.5, "Installing OES for Evaluation Purposes," on page 52 

* Section 4.3.6, "Evaluating OES," on page 52 


* Section 4.3.7, "Installing Standard Activation and License Files after the Evaluation Period 
Expires," on page 53 


4.3.1 Understanding OES Software Evaluation Basics 


You can evaluate the full OES product on both product platforms. The evaluation software is the 
complete, fully functional OES product with the latest support pack included. 


As you install each server, you are required to accept an end user license agreement (EULA). Your 
rights to evaluate and use the OES product are limited to the rights set forth in the EULA, which are, 
briefly, the following: 


* The evaluation period for OES Linux servers is 30 days. No software updates can be 
downloaded after the 30-day evaluation period expires. 


* The evaluation period for OES NetWare® servers is 90 days, after which Novell expects you to 
either purchase OES or uninstall OES NetWare. Until you do, the OES NetWare servers 
generate periodic reminders that your evaluation license has expired. 


4.3.2 The Evaluation Software Includes the Latest OES Support 
Pack 


The CD image files (. iso files) on the Evaluation Web site include the latest OES support pack. 


In contrast, the OES CD image files on the Novell How to Buy Web site are for installing the 
original OES release. Support packs and other patches are not integrated in the files available on the 
How to Buy site. 


Novell Support recommends that you should download and install the evaluation software if you 
want the latest support pack. When you purchase OES after evaluating the software, you receive a 
standard Linux activation code and a pair of standard NetWare license files. You can then apply the 
code and license files to fully license your servers by following the instructions in Section 4.3.7, 
"[nstalling Standard Activation and License Files after the Evaluation Period Expires," on page 53. 
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4.3.3 Downloading OES Software from the Novell Web Site 


If you already have OES ISO image files, skip to Section 4.3.4, “Preparing the Installation Media,” 
on page 52. 


If you have OES product CDs, skip to Section 4.3.5, “Installing OES for Evaluation Purposes,” on 
page 52. 


To download ISO image files from the Web: 
1 Ifyou don’t already have a Novell Account, register for one on the Web (https://secure- 
www.novell.com/selfreg/jsp/createAccount.jsp?). 
2 Access the Novell Downloads Web page (http://download.novell.com). 


3 Inthe most popular list, click Novell Open Enterprise Server SP2 EVAL, or search for that 
exact product name and then click the link. 


4 Click the proceed to download button (upper-right corner of the first table). 


5 If you are prompted to log in, type your Novell Account username and password, then click 
login. 


6 Accept the Export Agreement (required for first downloads only) and answer the survey 
questions about your download (optional). 


7 Print the Novell Open Enterprise Server SP2 EVAL page. You need the listed MDS verification 
numbers to verify your downloads. 


8 On the Novell Open Enterprise Server SP2 EVAL page, scroll down to the what to download 
section. 


9 Decide which files you need to download for the platforms you plan to evaluate and mark them 
on the MDS verification list for later reference and download tracking. 


10 Start downloading the files you need by clicking the respective download button for each file. 


11 In the evaluating OES with Support Pack 2 section, the OES Linux paragraph, click the Product 
Registration and Access link. 


12 Print the Product Registration and Activation page, or write down the Novell Open Enterprise 
Server for SUSE LINUX Enterprise Server 9 Evaluation Activation Code (Serial Number). 


13 Click Back to return to the Novell Open Enterprise Server SP2 EVAL page. 


14 In the download table at the top of the page, click the Install Instructions > View link at the end 
of the list of files to download, then print the instructions for reference. 


15 While you wait for the downloads, read through the brief installation instructions, clicking the 
links for more information. 


16 Verify the integrity of each downloaded file by running an MD5-based checksum utility on it 
and comparing the values against the list you printed in Step 14. 


For example, on a Linux system you can enter the following command: 
md5sum filename 
where filename is the name of the . iso file you are verifying. 


For a Windows system, you need to obtain a Windows-compatible MD5-based checksum 
utility from the Web and follow its usage instructions. 
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17 (Optional) If you plan to install OES Linux from files on your network, see the install script 
download instructions in “Preparing for a Network Installation" in the OES Linux Installation 
Guide. 


4.3.4 Preparing the Installation Media 


IMPORTANT: If you have downloaded .iso image files from the Web, it is critical that you 
verify the integrity of each file as explained in Step 16 on page 51. Failure to verify file integrity can 
result in failed installations, especially in errors that report missing files. 


Instructions for preparing installation CDs are located in 


* “Preparing the OES Linux Files for Installation" in the OES Linux Installation Guide. 
* “Preparing the NetWare Installation Software” in the OES NetWare Installation Guide. 


4.3.5 Installing OES for Evaluation Purposes 


As explained in Section 4.3.1, “Understanding OES Software Evaluation Basics,” on page 50, 
evaluation installations are enabled through specialized license files for OES NetWare servers and 
an activation code for OES Linux servers. 


The following sections explain when and how you use these files as you install and activate OES 
servers. Specific instructions are found in the platform-specific installation guides. 


OES Linux 


When you follow the processes outlined in Section 4.3.3, “Downloading OES Software from the 
Novell Web Site,” on page 51, you are given an activation code on the Product Registration and 
Activation page. You must either write this code on a piece of paper or print the Web page so that 
you have the code for later use. 


After your OES Linux server installation is complete, you can use the activation code to enable your 
server for online updates for the 30-day evaluation period. Instructions for using the activation code 
are found in “Patching an OES Linux Server” in the OES Linux Installation Guide 


Use the same activation code for each OES Linux server you install during the evaluation period. 


OES NetWare 


Both NetWare CDs contain a LICENSE folder with a 90-day evaluation license. You should select 
this license when you install the first OES NetWare evaluation server in a new tree. 


Instructions for installing the evaluation license are contained in “Licensing the NetWare Server” in 
the OES NetWare Installation Guide. 


Use the same license files for all OES NetWare servers installed during the evaluation period. 


4.3.6 Evaluating OES 


During the evaluation period, we recommend you fully explore the many services available in OES. 
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To help you get started with the process, we have prepared the following lab guides for each OES 
platform. These guides introduce eDirectory™, walk you through server installations on both OES 
platforms, and provide brief exercises you can complete to get started using OES Services. 


For more information, see 


* Lab Guide for OES SP2 Linux 
* Lab Guide for OES NetWare 
After working through the lab guides, we recommend you review the information in this guide to 


gain a comprehensive overview of OES and the planning and implementation processes you will 
follow to fully leverage its network services. 


4.3.7 Installing Standard Activation and License Files after the 
Evaluation Period Expires 


As part of the purchase process, it is important that you understand the OES licensing model. For a 
brief description, see Chapter 28, “Licensing,” on page 157. 


After purchasing Open Enterprise Server, do the following: 


* OES Linux: Use the instructions in “Patching an OES Linux Server" in the OES Linux 
Installation Guide to enter the standard activation code received with your purchase. Complete 
the steps where you enter the activation code, replacing the evaluation code with the standard 
code. Deactivating the channel is not required. 


* OES NetWare: Delete the evaluation license and install the standard license received with 
your purchase by completing the instructions in “Installing NetWare Licenses” in the OES 
NetWare Installation Guide. 
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Installing OES 


This section briefly covers the following: 


* Section 5.1, “Installation/Upgrade/Migration Caveats,” on page 55 
* Section 5.2, "Installing OES Linux," on page 58 
* Section 5.3, "Installing OES NetWare," on page 58 


5.1 Installation/Upgrade/Migration Caveats 


IMPORTANT: As support packs are released, there are sometimes new caveats identified. Be sure 
to always check the OES Readme (http://www.novell.com/documentation/oes/oes readme/data/ 
oes readme.html) for items specific to each support pack. 


This section discusses the following installation/migration caveats: 


* Section 5.1.1, “Adding a Linux Node to NetWare Cluster,” on page 55 


Section 5.1.2, “Cluster Upgrades Must Be Planned Before Installing OES,” on page 55 


Section 5.1.3, *Direct Migration of Some File Services from NetWare to Linux Not Provided," 
on page 56 


Section 5.1.4, “Follow the Instructions for Your Chosen Platforms," on page 56 


Section 5.1.5, “iFolder 3.x Considerations," on page 56 


Section 5.1.6, "Installing into an Existing eDirectory Tree," on page 56 


Section 5.1.7, "Installing a NetWare Server into an OES Linux Tree," on page 57 


Section 5.1.8, “NetWare 6.5 Servers Must Be Running SP3 or Later," on page 57 


Section 5.1.9, “Novell Distributed Print Services Cannot Migrate to Linux," on page 57 


Section 5.1.10, *NSS Features Not Implemented on OES Linux," on page 57 


Section 5.1.11, *Base Context for Samba Users Field Must Usually Be Changed," on page 58 


5.1.1 Adding a Linux Node to NetWare Cluster 


After you add a Linux node to a cluster, you cannot add more Net Ware? nodes. For more 
information, see “Converting a NetWare Cluster to Linux" in the OES Novell Cluster Services 1.8.2 
Administration Guide for Linux. 


5.1.2 Cluster Upgrades Must Be Planned Before Installing OES 


The only cluster-enabled service that can fail over cross-platform (run on either OES Linux or OES 
NetWare) is cluster-enabled NSS pools. All other services (iPrint, iFolder, etc.) can only fail over 
between servers that are the same platform. For example, an iPrint service that is running on an OES 
Linux server can fail over to another OES Linux server in the cluster, but the service cannot fail over 
to an OES NetWare server. 
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5.1.3 Direct Migration of Some File Services from NetWare to 
Linux Not Provided 


Direct migration of CIFS, AFP, and FTP services is not provided in OES. You must carefully plan 
the manual migration of services prior to installing OES. 


For example, if you plan to replace CIFS (Windows) file services on a NetWare server with OES 
Samba running on OES Linux, you need to plan to have the Samba service in place before shutting 
down the current CIFS service. For more information on implementing Samba, see the Samba 
Administration Guide for OES Linux SP2. 


5.1.4 Follow the Instructions for Your Chosen Platforms 


Although installing OES services on Linux or NetWare is a straightforward process, the installation 
processes are platform-specific, requiring different sets of media and different installation programs. 


Use the links in the following sections to access instructions for installing OES on your chosen 
platforms. 


5.1.5 iFolder 3.x Considerations 


For best results, be sure you read and carefully follow the instructions in the Novell iFolder 3.x 
Administration Guide, starting with “Enterprise Server". This is especially critical if you plan to use 
NSS for your iFolder 3.x data volume. 


5.1.6 Installing into an Existing eDirectory Tree 


Novell Support has reported a significant number of installation incidents related to eDirectory™ 
health and time synchronization. To avoid such problems, do the following prior to installing OES: 


* “Consider Coexistence and Migration Issues” on page 56 
* “Be Sure That eDirectory Is Healthy" on page 56 
* “Be Sure That Network Time Is Synchronized” on page 56 


Consider Coexistence and Migration Issues 


If you are installing a new OES server into an existing eDirectory tree, be sure to read and follow the 
instructions in “Installing OES Servers into an Existing Tree” in the OES Coexistence and Migration 
Guide. 


Be Sure That eDirectory Is Healthy 


Review and follow the guidelines in “Keeping eDirectory Healthy” in the Novell eDirectory 8.7.3 
Administration Guide. 


Be Sure That Network Time Is Synchronized 


OES Linux and OES NetWare servers can receive network time from either an existing eDirectory 

server or from an NTP time source. The critical point is that the entire tree must be synchronized to 
the same time sources. For example, do not set your new OES server to receive time from an NTP 

source unless the whole tree is synchronized to the same NTP source. 
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For an in-depth explanation of OES time synchronization, see Chapter 31, “Time Synchronization,” 
on page 169. 


5.1.7 Installing a NetWare Server into an OES Linux Tree 


If you have an eDirectory tree that was created on an OES Linux server, and you want to install an 
OES NetWare server into the tree, you must ensure that you have at least three OES Linux servers 
with replicas running in the tree prior to installing the NetWare server. Otherwise, the required 
license containers are not created in the tree and you cannot install a NetWare license. 


5.1.8 NetWare 6.5 Servers Must Be Running SP3 or Later 


If you are installing OES Linux servers into a tree containing NetWare 6.5 servers, be sure that the 
following servers have been updated to SP3 or later prior to installing OES Linux.: 


e SLP Directory Agents: If the SLP Directory Agents on your network are not running NetWare 
6.5 SP3 or later, installing an OES Linux server into the tree can cause the DA servers to abend. 


* LDAP Servers: If the LDAP servers referenced in your installation are not running NetWare 
6.5 SP3 or later, the servers might abend during a schema extension operation. 


5.1.9 Novell Distributed Print Services Cannot Migrate to Linux 


NDPS® clients are not supported on Linux. You must therefore migrate any NDPS clients to iPrint 
before you migrate your print services to OES Linux. For more information, see “Migrating NDPS 
Printers to iPrint" in the OES iPrint Administration Guide for NetWare. 


5.1.10 NSS Features Not Implemented on OES Linux 


The following features are not implemented in OES Linux: 


Archive and Version Services 


DFS junctions are not implemented. However, NSS volumes can be targets of a junction on a 
NetWare server. For more information, see “Prerequisites for Pointing DFS Junctions at an 
NSS Volume on OES Linux” in the Novell Storage Services File System Administration Guide 
for OES. 


Pool snapshots 


The new NSS media format is not supported. NSS volumes that use the new format cannot be 
mounted on OES Linux servers nor used in clusters with OES Linux servers. For more 
information, see “Which NSS Volumes to Upgrade” in the Novell Storage Services File System 
Administration Guide for OES. 


New NSS hard links are not supported. The new NSS media format supports new NSS hard 
links. Because the new media format is not supported on OES Linux, these new hard links are 
also not supported. 


Hard links are available on NSS for Linux, but they use the old format. For more information, 
see “Old Metadata Structure Supports Limited Hard Links for a File” in the Novell Storage 
Services File System Administration Guide for OES. 


Multipath IO support. Use Linux traditional services multipath IO instead. 
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* CD and DVD media and image files cannot be mounted as NSS volumes on Linux; instead 
they are mounted as Linux traditional file systems. 


For more details about NSS compatibility, see “Compatibility Issues for Using NSS Cross-Platform” 
in the Novell Storage Services File System Administration Guide for OES. 


5.1.11 Base Context for Samba Users Field Must Usually Be 
Changed 


When you install Samba services on OES Linux, the default value of the Base Context for Samba 
Users field is the eDirectory context where the server is installed. This causes problems with 
enabling users for Samba access if the users are not located in the same container as the server or in 
a sub-context of that container. 


For more Samba information, see “Samba Enabling Problems and the Base Context for Samba 
Users Field” the Samba Administration Guide for OES Linux SP2. 


5.2 Installing OES Linux 


The OES Linux installation leverages the SUSE® LINUX YaST graphical user interface, making the 
installation of SLES 9 and OES services a seamless process. 


To ensure a successful installation: 


1. Read and follow any instructions in OES for Linux Installation (http://www.novell.com/ 
documentation/oes/oes_readme/data/oes_readme.html#bsen7me) in the Open Enterprise 
Server Readme. 


2. Carefully follow the instructions in the OES Linux Installation Guide, especially those found in 
* “Preparing to Install OES Linux”. 
* “Installing Open Enterprise Server (OES) Linux". 


3. During the installation, you have the option of configuring the services at install time or later. If 
you choose to configure later, you can access the YaST management tool and click each service 
icon to configure the service. We recommend you configure eDirectory™ first. 


For more information, see “Installing or Configuring OES Components on an Existing Server” 
in the OES Linux Installation Guide. 


5.2.1 What's Next 


After installing OES and before starting to use your new OES Linux server, be sure to review the 
information in Chapter 10, “Implementation Caveats,” on page 69. 


The various service sections in this guide contain information about completing your OES services 
implementation. See the sections for the services you have installed, beginning with Chapter 13, 
“Using the OES Welcome Web Site,” on page 87. 


5.3 Installing OES NetWare 


OES NetWare utilizes the NetWare graphical user interface. 
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To ensure a successful installation: 


1. Read and follow any instructions in OES for NetWare Installation and Upgrade (http:// 
www.novell.com/documentation/oes/oes_readme/data/oes_readme.html#bsfogt4) in the Open 
Enterprise Server Readme. 


2. Carefully follow the instructions in the OES NetWare Installation Guide, especially those found 
in 


* “Installing OES NetWare”. 
* "Upgrading to OES NetWare”. 


5.3.1 What's Next 


After installing OES and before starting to use your new OES NetWare server, be sure to follow the 
instructions in Chapter 10, “Implementation Caveats,” on page 69. 


The various service sections in this guide contain information about completing your OES services 
implementation. See the sections for the services you have installed, beginning with Chapter 13, 
“Using the OES Welcome Web Site,” on page 87. 
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Upgrading to OES 


This section provides information and links for upgrading to Open Enterprise Server. 


* Section 6.1, “OES Linux,” on page 61 
* Section 6.2, “OES NetWare,” on page 61 


6.1 OES Linux 


You can upgrade to OES Linux from SUSE® LINUX Enterprise Server (SLES) 9, SLES 9 SP1, or 
SLES 9 SP2. You cannot upgrade to OES Linux from Novell® Nterprise® Linux Services. 


Complete upgrade instructions are found in “Upgrading to OES Linux” in the OES Linux 
Installation Guide. 


6.2 OES NetWare 


You can upgrade to OES NetWare® from NetWare 5.1, NetWare 6.0, or NetWare 6.5. Complete 
instructions as well as software and hardware requirements are found in “Upgrading to OES 
NetWare” in the OES NetWare Installation Guide. 


6.2.1 Caveats 


Be aware of the following caveats when upgrade a NetWare server. 


Virtual Office from NetWare 6.5 to OES NetWare 


OES NetWare SP3, SP4, and SP6 include Virtual Office 1.6. When you upgrade a NetWare 6.5 
server to one of these support packs, any Virtual Office installations are automatically upgraded to 
version 1.6. 


OES SP2 (NetWare 6.5 SP5) didn’t include Virtual Office. However, an upgrade to version 1.6.1 
was available on the Web. 


When you upgrade an existing VO installation, all data, teams, configurations, etc. are retained with 
the following exceptions: 


* User Bookmarks are lost 
* E-mail notifications might need to be reconfigured 


* Team File Share credentials might need to be re-created. 


iManager 2.5 Replaced by iManager 2.6 


If iManager 2.5 is installed on a NetWare server, and you apply NetWare 6.5 Support Pack 6, 
iManager and its associated plug-ins are automatically updated to version 2.6. For more information 
about iManager 2.6, see the iManager 2.6 Documentation (http://www.novell.com/documentation/ 
imanager26/index.html). 


If you are using iManager 2.02, imanager is not upgraded. 
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Migrating/Consolidating Existing 
Servers and Data 


OES includes the Novell® Server Consolidation and Migration Toolkit to help you migrate data and 
services from existing servers to OES servers. The toolkit contains the following two utilities. 

* Section 7.1, “NetWare Migration Wizard,” on page 63 

* Section 7.2, "Server Consolidation Utility," on page 63 


7.1 NetWare Migration Wizard 


The primary purpose of the Novell NetWare? Migration Wizard is to migrate NetWare servers to 
new hardware. 


When the migration is complete, the new server replaces and assumes the identity of the old server 
on the network. 


The wizard supports migrations to OES NetWare from 


* NetWare 4.x 
* NetWare 5.x 
* NetWare 6.0 
* NetWare 6.5 
* OES NetWare 


NOTE: If you are migrating data to OES Linux, you should use the server consolidation utility 
instead. 


For more information, see “About NetWare Migration Wizard" in the Novell Server Consolidation 
and Migration Toolkit Administration Guide. 


7.2 Server Consolidation Utility 


The primary purpose of the Server Consolidation Utility is to migrate and consolidate 


* Users 

* File permissions 
* Password 

* File Systems 


* Active Directory domains 


from existing NetWare or Microsoft* Windows servers to OES Linux or OES NetWare servers. 


NOTE: If you are moving a NetWare server to new hardware, use the NetWare Migration Wizard 
instead. 
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For more information, see “Server Consolidation and Migration Overview” in the Novell Server 
Consolidation and Migration Toolkit Administration Guide. 
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Updating/Patching OES Servers 


OES support packs are distributed as product updates (or patches in the case of OES Linux). The 
following sections briefly explain update availability for each platform and link you to specific 
instructions. 

* Section 8.1, “OES Linux,” on page 65 

* Section 8.2, “OES NetWare,” on page 65 


8.1 OES Linux 


To update an OES Linux server to an OES support pack release, you must use the patch process 
described in the OES Linux Installation Guide. You can also install product updates as they are made 
available through the ZLM update channel. 


For instructions on setting up the ZLM update channel for each OES Linux server and running the 
patch process, see “Patching an OES Linux Server" in the OES Linux Installation Guide. 


8.2 OES NetWare 


To update an OES NetWare? server to an OES support pack release, you must use the update 
process described in the OES NetWare Installation Guide. You can also install product updates as 
they are made available on the Novell Support Web site. 


Complete information and instructions are in "Installing Products and Updates" in the OES NetWare 
Installation Guide. 
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Adding OES Services to OES 
Servers 


You can add services to OES servers after they are installed by following the instructions outlined in 
the following sections. 


* Section 9.1, “OES Linux,” on page 67 
* Section 9.2, “OES NetWare,” on page 67 


9.1 OES Linux 


Do not use the Add/Remove Software option in the YaST Control Center to install additional OES 
products. Instead, select the option specific to the service you want to add. 


For example, if you want to add NetStorage as a service on an OES Linux server, the option to use is 
Network Service > NetStorage. This option not only installs all the required packages, but lets you 
configure the service as well. 


For more information on the location of service-specific options in the YaST Control Center, see 
“Installing or Configuring OES Components on an Existing Server" in the OES Linux Installation 
Guide. 


9.2 OES NetWare 


Some products such as Novell® Cluster Services™ can be installed only after completing the server 
installation. 


You can install additional products using Novell Deployment Manager (remotely) or from the GUI 
server console page (locally). For more information, see “Installing Additional Products” in the OES 
NetWare Installation Guide. 
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Implementation Caveats 


After installing Novell® Open Enterprise Server, make sure you understand the instructions in the 
following sections: 

* Section 10.1, “Always Check for an nssid.sh File," on page 69 

* Section 10.2, “Implementing OES Services,” on page 71 

* Section 10.3, “Avoiding Common Implementation Problems,” on page 71 


* Section 10.4, “Samba,” on page 77 


10.1 Always Check for an nssid.sh File 


If you use Novell Storage Services™ (NSS) on OES Linux, after installing the first OES Linux 
server in a tree, you should check every subsequent server to see whether the /opt /novell/ 
oes install/nssid.sh file exists. 


If this script file exists, you must run it on the server to synchronize the file ownership information 
for specific system users. 


The following sections explain why. 


10.1.1 System Users, eDirectory, NSS, and Linux User 
Management 


As explained in Appendix F, “OES System Users and Groups,” on page 255, having NSS volumes 
on OES Linux servers requires certain system-level modifications, most of which are automatic. The 
following logic applies. 


* By default, Web services, such as Apache and Tomcat, and certain OES services, such as 
NetStorage, run on an OES Linux server as system-created POSIX users. 


* These system-created users must be able to read data on all volume types that exist on the OES 
Linux server. 


* Data on NSS volumes can be accessed only by eDirectory™ users. 


* Therefore, when NSS volumes are created on the server, the system-created users must be 
enabled for Linux User Management (LUM) so that they can function as both POSIX and 
eDirectory users. 


For more information on LUM, see “Linux Access for eDirectory Users (LUM)" on page 117. 


10.1.2 System-Created Users Are Automatically Enabled for 
LUM 


When NSS is installed on an OES Linux server, the system-created users that must be able to access 
NSS data are automatically created as LUM-enabled eDirectory users and then removed from the 
local server. For more information, see Section F.1, "System Users Created on Linux," on page 255 
and Section F.3, “System Groups Created on Linux,” on page 256. 
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For example, the Apache Web server runs on all OES Linux servers as user wwwrun. If you install 
the first server in an eDirectory tree, the system-created wwwrun user might be assigned a UID of 6. 


If you install NSS on the server, either during the initial install or later, the wwwrun user is 
automatically created in eDirectory with its UID (6) stored as an attribute, and the local wwwrun 
user is removed from the server. 


Each time the Apache Web server starts, it runs as the wwwrun user account that is actually stored in 
eDirectory but also functions as a local user due to LUM. All files created and used by the wwwrun 
user show that the file owner has a UID of 6. Because wwwrun in eDirectory has a UID of 6, the 
Apache Web server can start and run. 


10.1.3 The OES Install Checks for UID Conflicts 


For each additional OES Linux server installed into the tree, when NSS is installed (either initially 
or later), the installation checks to see whether the system-created user UIDs match the information 
stored for each user in eDirectory. If subsequent servers are installed in the same way as the first 
server, the UIDs usually match. However, this is not guaranteed, and when OES services are added 
to an existing SLES 9 server, the UIDs usually do not match. 


For example, the wwwrun user created on a subsequently installed OES Linux server might have a 
UID of 7. As long as the wwwrun user exists on the local system, Apache is able to run because the 
wwwrun user's UID matches the owner information for each Apache file. However, when NSS is 
installed and the local users are removed, the affected services must run using the information stored 
in eDirectory. 


If the UID of the user that is removed doesn’t match the UID stored in eDirectory, then the 
eDirectory user can’t access the files on the server and the affected services (Apache, Tomcat, 
NetStorage) do not load. 


For example, if the wwwrun user that has a UID of 7 is removed and the wwwrun user in eDirectory 
that has a UID of 6 is supposed to replace it, then Apache cannot load and run on the server because 
the Apache files on the server are expecting their owner to have 7 as its UID. 


10.1.4 nssid.sh Is Created to Synchronize the UIDs for All 
Affected Server Files 


The OES Linux installation checks for conflicts between the UID of the local system-created user 
and the same user stored in eDirectory. When it discovers a conflict, it creates a shell script file in / 
opt/novell/oes install named nssid.sh for the express purpose of synchronizing all 
system files on the server that have mismatched UIDs. 


The installation analyzes each system-created user separately and places an entry in the script only 
when a conflict exists. 


Because there are four system-created users that could be affected, the script file can potentially 
contain four lines. 


The installation program doesn’t run the nssid.sh automatically, because it can take from 10 
minutes to a number of hours (if the file system is very large) to synchronize the file UIDs for each 
affected user. 


Also, the installation program does not warn that a potential UID conflict exists. 
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For this reason, if you use NSS on your OES Linux servers, it is imperative that you complete the 
instructions in the following section for each second, third, etc., OES Linux server that you install. 


10.1.5 Synchronizing File UID Information 


If you install NSS volumes on your OES Linux servers, then for each additional OES Linux server 
(after the first) installed into a tree, you must do the following: 


1 Log in to the server as the root user. 


2 Check to see whether the following file exists: 


/opt/novell/oes install/nssid.sh 


3 Ifthe file exists, run it from a shell prompt on the server to synchronize UID information in 
system files by entering the following command: 


/opt/novell/oes install/nssid.sh 


If the file doesn't exist, no action is required. 


10.2 Implementing OES Services 


Some OES products require additional configuration before they can be effectively used. 
Additionally, some products (such as Novell Cluster Services!" for NetWare®) can be set up only 
after completing the server installation. 


To ensure your OES network is fully configured to provide the services you expect, be sure to check 
the implementation information in the service sections of this guide that apply to the components 
you have installed. 


10.3 Avoiding Common Implementation 
Problems 


This section presents a few pointers for avoiding common implementation problems. 


Keep in mind that the list of issues presented here is not comprehensive. Rather, it simply outlines 
some of the more common problems reported by network administrators. To ensure successful 
service implementations, you should always follow the instructions in the documentation for the 
services you are implementing. 


The various service sections of this guide touch on common implementation tips as well. But again, 
there is no substitute for following the documentation prepared by the teams responsible for building 
and maintaining the service components. 


The following components have implementation caveats: 


* Section 10.3.1, “Novell iFolder 2 (OES Linux)," on page 72 
e Section 10.3.2, “iManager 2.5,” on page 73 

* Section 10.3.3, “iPrint,” on page 74 

* Section 10.3.4, “NCP Server (OES Linux),” on page 75 

* Section 10.3.5, “NSS (OES Linux),” on page 75 
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10.3.1 Novell iFolder 2 (OES Linux) 


You will want to be aware of the following when using Novell iFolder® 2 on OES Linux. 


Novell iFolder 2 on Linux Requires a Dedicated IP Address 


When you install Novell iFolder 2 on Linux, the installation program checks to see whether there are 
other Web services running on the server. 


If there are no other services, you have the option to install Novell iFolder as either 


* A standalone Novell iFolder server, meaning that you don’t plan to add other Web applications 
to the server in the future. 
or 

* a Novell iFolder server running with other Web applications, meaning that you might choose to 


add other Web applications later. 


If there are other services running, you do not have the option to install Novell iFolder in standalone 
mode. 


Adding Other Web Services to a Standalone Novell iFolder Server 


If you have installed a standalone Novell iFolder server and later decide to install other Web 
applications on the same server, you must reconfigure the Novell iFolder installation after adding 
the other Web services. 


The simplest way to do this is using YaST: 
1 Start YaST. 
If you installed Novell iFolder without KDE (the default), run YaST in text mode by entering 
yast at a shell prompt: 
2 Select Network Services > iFolder 2.x. 
3 Answer Yes to the warning that Novell iFolder is already installed. 


4 Tab to the Admin Password field and type the eDirectory Admin password, then go to the next 
screen by tabbing to Next and pressing Enter. 


5 Select the iFolder 2.x and Other Web Applications Will Run on This Server option. 


6 In the iFolder 2.x Server IP Address field, type a unique IP address that is on the same subnet 
as the primary IP address specified for the server. 


7 Type the same netmask as specified for the primary IP address. 
8 Type a hostname for the IP address assigned in Step 6. 
9 Click Next twice. 


The new iFolder configuration is written to the system configuration files. 


Adding a Novell iFolder Server to an Existing OES Linux Server 


If you have installed an OES Linux server Web applications, such as NetStorage, and later decide to 
install Novell iFolder on the same server, you must specify the unique IP address information and 
hostname that Novell iFolder requires as you add the service. 
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The simplest way to do this is using YaST: 
1 Start YaST. 
If you installed Novell iFolder without KDE (the default), run YaST in text mode by entering 
yast at a shell prompt: 
2 Select Network Services > iFolder 2.x. 


3 Tab to the Admin Password field and type the eDirectory Admin password, then go to the next 
screen by tabbing to Next and pressing Enter. 


4 Select the iFolder 2.x and Other Web Applications Will Run on This Server option. 


5 In the iFolder 2.x Server IP Address field, type a unique IP address that is on the same subnet 
as the primary IP address specified for the server when it was installed. 


Type the same netmask as specified for the primary IP address. 
Type a hostname for the IP address assigned in Step 6. 

Do not change the User Data Path. 

Click Next twice. 


O ON Oo 


The Novell iFolder configuration is written to the system configuration files. 


10.3.2 iManager 2.5 


iManager 2.5 has the following implementation caveats. 


Be Sure to Run the iManager Configuration Wizard 


In “Installing RBS” in the Novell iManager 2.5 Administration Guide, you are instructed to run the 
iManager Configuration Wizard before using iManager. 


When iManager is installed in connection with OES, various roles and tasks are configured, as 
shown in Figure 10-1. 
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These roles and tasks are available to all the users you create until you run the configuration wizard. 
After that, the roles and tasks are available only to the Admin user and other users or groups you 
specifically designate. 


Figure 10-1 iManager Roles and Tasks 
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For more information on iManager, see the Novell iManager 2.5 Administration Guide. 


10.3.3 iPrint 
iPrint has the following implementation caveats. 


iManager Plug-Ins Are Platform-Specific 


The iManager plug-ins are different for each server platform. Therefore, if you have both OES 
Linux and OES NetWare servers running iPrint services, you need two instances of iManager to 
manage iPrint—one on each platform. 


No Cluster Failover between Platforms 


Clustered iPrint services can only fail over to the same OES platform (Linux or NetWare). 


iPrint on OES Linux 


You should be aware of the following when using iPrint on OES Linux. 
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Uploading Print Drivers for iPrint 


From a Linux workstation running iManager, only the From System button works to upload drivers 
through a Mozilla-based browser. This means that the following will not work: 
* Uploading Windows drivers from Linux 


* Uploading from Konqueror or other non-Mozilla-based browsers 


Uploading Might Require a CUPS Administrator Credential 
A PPD is the Linux equivalent of a printer driver on Windows. 


There are two versions of the iPrint client: high-security and low security. By default, end users and 
administrators install the high-security client when using the iPrint Printer List Web page. 


This means that administrators are prompted for a CUPS administrator credential when uploading 
PPDs. However, the prompt doesn’t specify that a CUPS administrator credential is needed and the 
root user credential does not work. 


iPrint Disables Printing on the Server 


iPrint uses CUPS to render print jobs before sending the print job to the Print Manager. For 
performance and scalability, printing from the server itself is disabled during the OES installation of 
iPrint. 


iPrint Client for Linux Doesn't Install Automatically 


Users who are used to installing the Windows iPrint client expect to choose an Open option and have 
the client install automatically. However, installing the client on Linux workstations requires saving 
the RPM package and then installing it manually if a package manager is not already installed and 
configured as it is in Novell Linux Desktop. For more information, see “Linux: iPrint Client” in the 
OES iPrint Administration Guide for Linux. 


10.3.4 NCP Server (OES Linux) 


NSS file attributes and NCP™ services tend to get mixed together in the minds of NetWare 
administrators. It is important to remember that file and directory attributes are supported and 
enforced by the file system that underlies an NCP volume, not by the NCP server. 


For example, even though Rename Inhibit attribute appears to be settable in the NCP client 
interface, if the underlying file system is traditional Linux (Reiser, etc.) there is no support for the 
attribute and it cannot be set. 


Some administrators assume they can provide NSS attribute support by copying or migrating files, 
directories, and metadata from an NSS volume to a defined NCP volume on a traditional Linux 
partition. However, this doesn’t work, because NSS file attributes are only supported on NSS 
volumes. 


10.3.5 NSS (OES Linux) 


NSS on Linux has the following implementation caveats. 
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Only EVMS Is Supported 


For this release, NSS recognizes only drives that are managed by EVMS. If your hard drive is 
managed by Linux Volume Management, it cannot be managed by EVMS and NSS does not 
recognize it. 


For example, administrators are sometimes stumped when trying to create NSS pools and partitions 
on a drive using the Novell Storage Services™ Management Utility (NSSMU), because the utility 
doesn’t recognize the drive. 


If you experience this problem, use the YaST Partitioner to delete everything from the drive. You 
might then need to reboot the machine for NSSMU to recognize the drive. 


User Quota Enforcement Always Requires Linux-Enabled Users 


If you use User Quotas to limit the amount of disk space available to network users, you must ensure 
that users are enabled for Linux access using the iManager Linux User Management (LUM) plug-in. 


This requirement extends to access through services that don’t require LUM for general access, such 
as Web-based services like NetStorage and NCP clients accessing NCP/NSS volumes. 


Background Information 


The basic reason for this requirement is that NSS requires LUM to map file ownership between 
POSIX* and eDirectory. If users are not enabled for Linux access, directories and files that they 
create on NSS volumes are actually owned by the root user and not counted against any quotas you 
have set for them. For more information, see “Enforcing File Ownership and User Space 
Restrictions” in the Novell Storage Services File System Administration Guide for OES. 


Moving an NSS Volume from NetWare to OES Linux 


Some organizations are moving drives that contain NSS volumes from NetWare servers to OES 
Linux servers. The process is very straightforward and completely reliable, provided you follow the 
instructions in the “Coexistence and Migration Issues” section in the Novell Storage Services File 
System Administration Guide for OES. 


The key point to remember is that you must enable volume users for Linux access before activating 
the moved volume for user access. For details, see the information in “Access Control Issues for 
NSS on OES Linux” in the Novell Storage Services File System Administration Guide for OES. 


Setting User Quotas On Volumes that Are Being Used 


Users who are not enabled for Linux access can work on NSS volumes through NCP clients and 
Web-based file services, such as NetStorage and iFolder. However, files created by these users are 
not counted against User Quotas because the system can’t map file ownership between POSIX and 
eDirectory, so all newly created files are owned by the root user. 


If you have created an NSS volume on an OES Linux server or moved a volume from NetWare to 
OES Linux, and you didn’t enable volume users for Linux prior to allowing volume access, you can 
set quotas by following the instructions in “Setting Quotas for Users Who Were Not Initially 
Enabled for Linux Access (Linux)" in the Novell Storage Services File System Administration Guide 
for OES 
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10.4 Samba 


For Samba implementation caveats, see “Samba Caveats” the Samba Administration Guide for OES 
Linux SP2. 


Implementation Caveats 77 


78 Novell OES SP2 Planning and Implementation Guide 


Server Platforms 


This section introduces the two OES server platforms: 


* Chapter 11, “SUSE LINUX Enterprise Server 9,” on page 81 
* Chapter 12, “OES NetWare,” on page 83 
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SUSE LINUX Enterprise Server 9 


SUSE® LINUX Enterprise Server 9 (SLES 9) is the Novell® Linux platform for Open Enterprise 
Server (OES) services. OES Linux lets you combine Novell’s industry-leading network services 
with open source applications on the same server. 


This section contains the following sections to help you get started with running OES services on 
SLES 9: 


* Section 11.1, “Planning Your OES Linux Implementation,” on page 81 
* Section 11.2, “Coexistence and Migration," on page 81 
* Section 11.3, "Implementation Suggestions for OES Linux,” on page 81 


* Section 11.4, “Maintenance Suggestions for OES Linux,” on page 82 


11.1 Planning Your OES Linux Implementation 


As you plan to install OES on the SLES 9 platform, you should review the information in Chapter 3, 
“Planning Your OES Implementation,” on page 33. That and other sections in this guide can help to 
answer such questions as 


* Which OES services are available for Linux. 


You can learn which OES services run on Linux by reviewing the summary information in 
Table 3-1 on page 34. 


* What differences exist in the way services function on Linux compared with NetWare. 


See Section 3.4, “Which OES Platform Is Best for My Services?,” on page 37 and the specific 
service sections in this guide. 


We also recommend you also use the information in “Preparing to Install OES Linux” in the OES 
Linux Installation Guide to plan your installation. 


11.2 Coexistence and Migration 


Coexistence and migration tools for OES are summarized in Chapter 7, “Migrating/Consolidating 
Existing Servers and Data,” on page 63. 


For more information, see the OES Coexistence and Migration Guide. 


11.3 Implementation Suggestions for OES Linux 


To help you become acquainted with basic OES services on the Linux platform, we provide a Lab 
Guide for OES Linux with step-by-step instructions designed to introduce OES services in a lab 
environment. 


To install OES Linux, see the OES Linux Installation Guide. 


For help implementing specific OES services on SLES 9, see the implementation sections for those 
services in the subsequent sections of this guide. 
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IMPORTANT: The OES documentation set includes the SUSE LINUX Enterprise Server 9 
Administration Guide which contains valuable information regarding SLES 9 and its standard 
services. The OES Documentation Web site contains links to this guide. 


Be aware that some instructions in this guide, such as the installation sections, are for installing and 
running a standard SLES 9 server but not for installing a SLES 9 server and running OES services. 


You should always consult the information in the OES manuals and guides first when working with 
OES services on SLES 9. 


11.4 Maintenance Suggestions for OES Linux 


For help maintaining OES services on SLES 9, see the maintenance sections for the services in the 
subsequent sections of this guide. 
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OES NetWare 


NetWare® is the Novell® special-purpose network operating system that is squarely focused on 
running and managing your network. NetWare security, scalability, and performance have long set 
the bench mark for network operating systems. 


This section contains the following sections to help you get started with running OES services on 
OES NetWare: 


* Section 12.1, “Planning Your OES NetWare Implementation,” on page 83 

* Section 12.2, “Coexistence and Migration of NetWare Services,” on page 83 
* Section 12.3, “Implementation Suggestions for OES NetWare,” on page 83 
* Section 12.4, “Maintenance Suggestions for OES NetWare,” on page 84 


12.1 Planning Your OES NetWare 
Implementation 


As you plan to install OES NetWare, you should probably review the information in Chapter 3, 
"Planning Your OES Implementation," on page 33. That and other sections in this guide will help to 
answer questions, such as 


* Which OES services are available for NetWare. 


You can learn which OES services run on NetWare by reviewing the summary information in 
Table 3-1 on page 34. 


* What differences exist in the way services function on NetWare compared with Linux. 


See Section 3.4, “Which OES Platform Is Best for My Services?,” on page 37, and the specific 
service sections in this guide. 


We recommend that you use the planning information found in “Installing OES NetWare” in the 
OES NetWare Installation Guide to plan your installation. 


12.2 Coexistence and Migration of NetWare 
Services 


Coexistence and migration tools for OES are summarized in Chapter 7, “Migrating/Consolidating 
Existing Servers and Data,” on page 63. 


For a discussion of NetWare coexistence and migration issues, see the OES Coexistence and 


Migration Guide. 


12.3 Implementation Suggestions for OES 
NetWare 


To help you become acquainted with basic OES services on the NetWare platform, we provide a Lab 
Guide for OES NetWare with step-by-step instructions designed to introduce OES services. 
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To install OES NetWare, see the OES NetWare Installation Guide. 


For help implementing specific OES services on NetWare, see the implementation sections for those 
services in the sections that follow in this guide. 


12.4 Maintenance Suggestions for OES NetWare 


For a list of common NetWare maintenance topics and tasks, see the Operating Systems page > 
NetWare Links in the OES online documentation. 


For help maintaining OES services on NetWare, see the maintenance sections for the services in the 
sections that follow in this guide. 
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Management Interfaces and 
Services 


* Chapter 13, “Using the OES Welcome Web Site,” on page 87 
* Chapter 14, “OES Utilities and Tools," on page 91 
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Using the OES Welcome Web Site 


After you install an OES server, anyone with browser access to the server can access its Welcome 
Web site—a collection of dynamic Web pages that provides the features illustrated and explained in 
Figure 13-1. 


Figure 13-1 The Default OES Welcome Page 
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This section explains OES Welcome Web Site features, and discusses: 


* Section 13.1, “The Welcome Site Requires Apache and Tomcat,” on page 87 
* Section 13.2, "Accessing the Welcome Web Site," on page 88 

* Section 13.3, “The Welcome Web Site Is Available to All Users,” on page 88 
* Section 13.4, "Administrative Features of the Welcome Pages," on page 88 
Section 13.5, “Where's eGuide in OES Linux?,” on page 90 


13.1 The Welcome Site Requires Apache and 
Tomcat 


It is possible to install OES on either supported platform without including the Apache Web Server 
or the Tomcat Servlet Container. For example, if you install OES NetWare® using the Customized 
NetWare Server option, neither of these components is selected by default. 


If you are unable to access the Welcome Web site, your server is probably missing one or both of 
these required components. To make the site available, you need to add the components to the OES 
server. 
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13.2 Accessing the Welcome Web Site 


Anyone with browser access to an OES server can access the Welcome Web site by doing the 
following: 


1 Open a supported Web browser that has a TCP connection to the network where the OES server 
is installed. 

2 Enter the URL to the server using http. 
For example: 


http://server.example.com 


or 
http://192.168.1.206 


13.3 The Welcome Web Site Is Available to All 
Users 


Although the Welcome Web site is designed primarily for administrators, it can also be accessed and 
used by end users. For example, if iPrint is installed on the server, users can install the iPrint Client 
from a link on the iPrint product page. 


Figure 13-2 The iPrint Product Page 
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13.4 Administrative Features of the Welcome 
Pages 


The administrative features on the OES Welcome pages differ slightly between OES Linux and OES 
NetWare servers. 


NetWare exposes the administrative links only after the user authenticates to eDirectory™. 
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Because the Linux pages don’t support eDirectory authentication, the link box on Linux is static. In 
some cases, both end user and administrative links appear. In other cases, no administrative links are 
available. Link availability is determined by the product team responsible for the page. 


Table 13-1 compares Welcome page functionality on Linux and NetWare. 


Table 13-1 Welcome Pages on Linux and NetWare 


Feature 


Accessing the administrative 
Welcome pages 


OES Linux Servers 


OES Netware Servers 


There is only one set of Welcome Administrators have two options 
pages. Most Linux pages include for authenticating to eDirectory: 


the administrative links. 


* Click the Login link in the 
site banner 

* Specify HTTPS and port 
2200 when accessing the 
server. 


For example, they might 
enter the following URL: 


https:// 
server.example.com:2200 


Linking to administrative tools 


Administrators can access most 
administrative tools from links on 
the product pages. 


Administrators can access most 
administrative tools from links on 
the product pages. 


Authentication is not required in 
some cases because the 
connection is already 
authenticated to eDirectory. 
iManager 2.5 is a notable 
exception to this. 


Installing products 


Not available. 


Many products that aren't 
installed include an installation 
link in their link box. When 
clicked, this link launches 
iManager 2.5, which lets you 
install the product. 


NOTE: In some cases, the 
Welcome Web site is not updated 
to reflect product installation. For 
some products this is solved by 
restarting the Web server. For 
information about how to restart 
the Web server, see the Apache 
Web Server for NetWare 
Administration Guide for OES. 
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Feature OES Linux Servers OES Netware Servers 


Setting Welcome page You can set an alternate default Authenticated administrators can 
preferences Welcome page by selecting from set an alternate default Welcome 
the list of installed products atthe page by selecting from the list of 
bottom of the main panel (on the installed products at the bottom of 
initial page). the main panel (on the initial 
. l page). 
For example, if the server is an 
iPrint server, you might set the For example, if the server is an 


default page to iPrint. Users iPrint server, you might set the 
accessing the page can then default page to iPrint. All users 
download and install the iPrint accessing the page can then 


client for their workstation type. download and install the iPrint 
client for their workstation type. 
Admin users accessing the page 
can immediately install printers 
and create or modify iPrint maps. 


13.5 Where's eGuide in OES Linux? 


eGuide does not have a Welcome page on OES Linux servers. 
To access the eGuide Administration utility in Linux, specify the following (case-sensitive) URL: 
http://ip or dns/eGuide/admin/index.html 


Replace ip or dns with the hostname or IP address of the Web server where you installed eGuide. 
Depending on how your Web server and Web application server are configured, you might need to 
include the port number the server listens on with the hostname or IP address (for example, 

ip or dns:80). 


To access the eGuide client, specify the following (case-sensitive) URL: 
http://ip or dns/eGuide 


Replace ip or dns with the hostname or IP address of the Web server where you installed eGuide. 
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OES Utilities and Tools 


Novell® OES includes several administration utilities that let you manage everything in your 
network, from configuring and managing eDirectory™ to setting up network services and open 
source software. This section lists and briefly explains the most common utilities. 


NOTE: Some of the utilities are for managing only OES NetWare® or OES Linux servers but not 
both. 


* Section 14.1, “Overview of Management Tools and Interfaces," on page 91 


14.1 Overview of Management Tools and 
Interfaces 


Whenever possible, we recommend that all OES management be performed using browser-based 
tools. This ensures that all the system commands required to execute various tasks are performed in 
proper order and that none of them is overlooked. 


Table 14-1 is a quick reference for accessing information about the OES management tools. 


Specific instructions for the tasks listed are located in the administration guides and other 
documentation for the services each tool manages. 
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Table 14-1 OES Management Tool Quick Reference 


Tool Tasks 

Apache * Control one or many 

Manager Apache Web servers 
on any platform from 
a single 
management 
interface. 


* Greatly reduce the 
risk of configuration 
errors. 


Access Method or URL/ 
Username 


To access Apache 
Manager from the 
Welcome Web site: 


1. Open the Welcome 
Web site on an OES 
NetWare server 
using your server's 
URL. 

For example, 

http:// 
myserver.example.c 
om. 


2. Log in as the 
eDirectory Admin 
user. 


3. In the left frame, 
click the LE! icon 
next to Open 
Source, then click 
Apache 2.0. 


4. After the Apache 
2.0 Welcome page 
loads, in the upper 
right link box, click 
either Administer 
Single Apache 
Server or 
Administer Multiple 
Apache Servers. 


Notes 


Runs only from NetWare, but 
can configure Apache Web 
servers on multiple platforms. 


For more information on using 
Apache Manager, see the 
Apache Web Server for 
NetWare Administration 
Guide for OES. 


bash (Linux) * Manage the Linux 


server. 


* Manage many 
services running on 
the server. 
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Access a shell prompt on 
the Linux server. 


For more information or help 
understanding and using 
bash, search the Web for any 
of the numerous articles and 
tutorials on using the shell. 


Access Method or URL/ 
Username 


Tool Tasks 


* Perform a subset of 
BASH commands. 


BASH (NetWare) 


enter 


To start the shell at a 
NetWare console prompt, 


bash.nlm 


Notes 


To learn more about using the 
BASH commands on 
NetWare, see the man pages 
available at the shell prompt 
by entering 


man bash 


For more information, see 
"BASH" in the Utilities 
Reference for OES. 


To obtain the source files for 
this version of BASH on 
NetWare, visit 
forge.novell.com (http:// 
forge.novell.com). 


ConsoleOne? 
(NetWare) 


* Manage eDirectory 1. 
objects, schema, 
partitions, and 
replicas. 


* Manage NetWare 
server resources. 


Do either of the 
following: 


From a workstation, 
map a drive to the 
server and run 
consoleone.exe 
from 

Sys: publicWMng 
mtNconsoleoneV 
1.2\bin 


or 


From a NetWare 


server console, click 


the Novell menu 
and select 
ConsoleOne from 
the list of options. 


Specify the 
eDirectory Admin 
username and 
password. 


For more information about 
ConsoleOne, see the 
ConsoleOne 1.3.x User 
Guide. 


eGuide 
Administrator 


Configure 1. 


* LDAP data sources. 
* Searching. 
* Look-and-feel. 


* Security. 


In a Supported Web 
Browser, enter the 
following URL: 


https:// 
IP or DNS/ 
eGuide/admin 


Specify the 
eDirectory Admin 
username and 
password. 


For more information on using 
the eGuide Administrator tool, 
see the Novell eGuide 2.1.2 
Administration Guide. 
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Access Method or URL/ 


Tool Tasks Notes 
Username 
Health * Monitor the health of . Doeither of the Health Monitoring Services 
Monitoring Linux or NetWare following: are documented in the Health 
Services servers. Monitoring Services 
In iManager, click Administration Guide for OES. 
Servers » Monitor 
Servers in the left Health Monitoring Services 
navigation frame. use a Common Information 
Model (CIM) provided by the 
or Web-Based Enterprise 
Management (WBEM) 
In Novell Remote Initiative. For more 
Manager, click information on WBEM, visit 
Health Monitor the DMTF Web site (http:// 
under Diagnose www.dmtf.org/standards/ 
Server. wbem). 
. Specify the 
eDirectory Admin 
username and 
password. 
iFolder 2.1x Manage Novell . Ina Supported Web Although the home page is 
Management iFolder servers. Browser, enter the displayed after an http 
m Manage Novel um o 
iFolder users. https:// onia 
Monitor resource IP or DNS/ 
usage. iFolderServer/ For more information on using 
Admin the iFolder Management Tool, 
Generate system : 
. see the Novell iFolder 2.1 
reports. . Specify the 
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eDirectory Admin 
username and 
password. 


Installation and Administration 
Guide. 


Access Method or URL/ 


Tool Tasks Notes 
Username 
iManager 2.5 Access various other . Ina Supported Web Requires an SSL connection 
management tools Browser, enter the (HTTPS). 
and plug-ins. following URL: 
. Both HTTP and HTTPS 
Configure OES http:// requests establish the SSL 
neok SEVICES: IP or DNS/ connection. 
Create and manage iManager.html F i i . 
users, groups, and : or more information on using 
other dae . Specify the = iManager, see the Novell 
eDirectory Admin iManager 2.5 Administration 
Delegate username and Guide. 
administration password. 
through Role-Based See also Mobile iManager. 
Services (RBS). 
Manage eDirectory 
objects, schema, 
partitions, and 
replicas. 
Manage NetWare 6.5 
servers. 
Manage OES 
services. 
Set up and manage 
your Novell 
eDirectory tree. 
iMonitor Monitor and . Ina Supported Web iMonitor provides a Web- 


diagnose all the 
servers in your 
eDirectory tree. 


Examine eDirectory 
partitions, replicas, 
and servers. 


Examine current 
tasks taking place in 
the tree. 


Browser, enter one 
of the following 
URLs: 


(On NetWare) 
http:// 
IP_or_DNS:81/ 
nds 


(On Linux) 
https: // 

IP or DNS:8030 
/nds 


. Specify the 


eDirectory Admin 
username and 
password. 


based alternative to tools 
such as DSBrowse, DSTrace, 
DSDiag, and the diagnostic 
features available in 
DSRepair. 


Because of this, iMonitor's 
features are primarily server 
focused, meaning that they 
report the health of individual 
eDirectory agents (running 
instances of the directory 
service) rather than the entire 
eDirectory tree. 


For more information, see 
"Using Novell iMonitor 2.1" in 
the Novell eDirectory 8.7.3 
Administration Guide. 
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Access Method or URL/ 


Tool Tasks Notes 
Username 
INETCFG Manage network and 1. Load the inetcfg For more information, see 
(NetWare) server TCP/IP NLM™ ata "INETCFG' in the Utilities 
communications. NetWare System Reference for OES. 
Manage IP Console prompt. 
addresses. 2. Access the server 
Bind boards on a console. 
NetWare server. 3. Toggle to the 
Screen. 
IP Address Manage the IP 1. Ina Supported Web For more information, see the 
Manager address-application Browser, enter the Novell Netware IP Address 
(NetWare) association when following URL: Management Administration 
changing the Guide for OES. 
NetWare server's IP https:// 
address. IP or DNS:8009 
j f 
Resolve IP address AE 3 
and port conflicts. 2. Specify the 
eDirectory Admin 
username and 
password. 
iPrint Map Create a printer map 1. Ina Supported Web For OES Linux server 
Designer to aid in printer Browser, enter the instructions, see “Setting Up 
selection/installation. following URL: Location-Based Printing" in 
Edit an existing the OES iPrint Administration 
f http:// Guide for Linux. 
printer map. IP or DNS/ 
ippdocs/ For OES NetWare server 
maptool.htm instructions, see “Setting Up 
2. Specify the Location-Based Printing" in 
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eDirectory Admin 
username and 
password. 


the OES iPrint Administration 
Guide for NetWare. 


Tool 


Mobile iManager 


Tasks 


Access Method or URL/ 
Username 


Manage eDirectory. Ona Linux workstation: 


Create and manage 
users, groups, and 
other objects. 


Manage OES 
services. 


Access various other 


management tools 
and plug-ins. 


1. At the bin directory 


2. 


of the expanded 
iMan 25 Mobile 
 iManager linu 
x.tar directory, 


run imanager.sh. 


Log in using the 
eDirectory Admin 
username, 
password, and 
eDirectory tree 
name. 


On a Windows 
workstation: 


1. 


At the bin directory 
of the unzipped 
iMan 25 Mobile 
 iManager win 
directory, run 
imanager.bat. 


Log in using the 
eDirectory Admin 
username, 
password, and 
eDirectory tree 
name. 


Notes 


Requires an SSL connection 
(HTTPS). 


Both HTTP and HTTPS 
requests establish the SSL 
connection. 


For more information on using 
Mobile iManager, see 
“Starting Mobile iManager on 
Linux” and “Starting Mobile 
iManager on Windows’ in the 
Novell iManager 2.5 
Installation Guide. 


See also iManager. 


MySQL 4.0 
(phpMyAdmin) 
(NetWare) 


Create and manage 
MySQL databases. 


Monitor processes. 
Export databases. 


Create and manage 
user accounts. 


1. 


In a Supported Web For more information, see the 


Browser, enter the 
following URL: 


https:// 

IP or DNS:2200 
/phpMyAdmin/ 
index.php 
Specify the 
eDirectory Admin 
username and 
password. 


MySQL for NetWare 


Administration Guide for OES. 
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Tool Tasks 


NetStorage Web . 
Interface 


Manage file system 


access. 


* Manage file system 
space restrictions. 


* Salvage and purge 


Access Method or URL/ 
Username 


Use the NetStorage Web 
interface. 


Notes 


As an Admin user (or 
equivalent), you can set 
directory and user quotas for 
NSS data volumes. You can 
also set file system trustees, 
trustee rights, and attributes 
for directories and files on 
NSS volumes. And you can 
Salvage and Purge deleted 
files. 


For more information, see 
either of the following: 


* "Viewing or Modifying 
Directory and File 
Attributes and Rights" in 
the OES NetStorage 
Administration Guide for 
Linux. 


* "Viewing or Modifying 
Directory and File 
Attributes and Rights" in 
the OES NetStorage 
Administration Guide for 
NetWare. 


deleted files. 
NetWare * Manage and 
Command Line configure all aspects 


Enter the commands at 
the server console or 


For more information, see the 
Utilities Reference for OES. 


Utilities of the NetWare through a remote 
operating system. connection. 
* Manage many of the 
network services that 
NetWare hosts. 
Novell Client * Manage file system Use the Novell N icon to As an Admin user (or 
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access. 


Manage File System 
Space Restrictions. 


Salvage and purge 
deleted files. 


lementation Guide 


access these and other 
tasks. 


equivalent), you can set 
directory and user quotas for 
NSS data volumes. You can 
also set file system trustees, 
trustee rights, and attributes 
for directories and files on 
NSS volumes. And you can 
Salvage and Purge deleted 
files. 


For more information, see 
"Managing File Security and 
Passwords” in the Novell 
Client for Windows Installation 
and Administration Guide. 


Access Method or URL/ 


Tool Tasks Notes 
Username 
Novell Remote Manage file system 1. InaSupported Web Functionality is limited for 
Manager (NRM) access and attributes Browser, enter the — non-Admin or non-root users 
for the NetWare following URL: on both platforms. 
Traditional File 
System and the NSS https:// NRM on Linux doesn't include 
File System on IP or DNS:8009 _ all the functionality of NRM on 
NetWare. 2. Do one of the Neware. 
Manage NetWare following: For more information, see the 
Traditional File Novell Remote Manager for 
Systems (NetWare). On NetWare, NetWare Administration 
Manage OES specify the Guide for OES or the 
eDirectory Accessing Novell Remote 
miel ae username and Manager for Linux 
remote location. password. : 
Monitor your server's 
health. or 
Quei OnLiux spec 
either the eDirectory 
Perform diagnostic username and 
and debugging tasks. password or a Linux 
(POSIX) username 
and password. 
NSS Manage the Novell At the NetWare System NSS Management Utility 
Management Storage Services File Console prompt: (NSSMU) is a server console 


Utility (NSSMU) 


System. 


1. 


At the Linux shell prompt: 
1. 


Load the NSSMU 
NLM. 


. Access the server 


console. 


Toggle to the 
screen. 


Load NSSMU by 
entering 


/opt/novell/ 
nss/sbin/nssmu 


application used to manage 
the Novell Storage System 
(NSS) logical file system. 


Some functionality available 
on NetWare is not available 
on Linux. For example, 
software RAID 5 and 
Encrypted Volume Support 
are not available for Linux. 


For more information, see 
“NSS Management Utility” in 
the Novell Storage Services 
File System Administration 
Guide for OES. 
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Access Method or URL/ 


Tool Tasks Notes 
Username 
OpenSSH (client * Securely run Connect to the server On Linux, OpenSSH is 
access) commands on using your favorite SSH installed by default. 
remote servers. client. 
: On OES NetWare, load 
* Securely copy files sshd.nimat the server 
and directories to console. 
and from other 
servers using SSH To use OpenSSH from a 
utilities. workstation on your network, 
you must download one of 
several available third-party 
SSH utilities, such as PuTTy. 
For more information, see 
“Setting Up SSH at 
Workstations” in the 
OpenSSH Administration 
Guide 
OpenSSH * Manage OpenSSH 1. In a Supported Web For more information, see 
Advanced Admin Servers as server Browser, enter the “Setting Up OpenSSH in Your 
(NetWare) groups. following URL: Network" in the OpenSSH 
Administration Guide. 
https:// 
IP or DNS:2200 
/ Sshdadmin/ 
main.htm 
2. Specify the 
eDirectory Admin 
username and 
password. 
OpenSSH * Manage all aspects 1. In a Supported Web For more information, see 
Simple Admin of a single OpenSSH Browser, enter the “Setting Up OpenSSH in Your 
(NetWare) server. following URL: Network" in the OpenSSH 
Administration Guide. 
https:// 
IP or DNS:2200 
/ Sshdadmin/ 
WebMan?file-we 
bman.xml 
2. Specify the 
eDirectory Admin 
username and 
password. 
OpenWBEM * Perform tasks On NetWare, access For more information, see the 


instrumented by 
specific providers. 
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sys\system\cimom\e OpenWBEM Services 
tc\openwbem\openwb Administration Guide for OES. 
em.conf. 


On Linux, access 
/etc/openwbem. 


Access Method or URL/ 


Tool Tasks Notes 
Username 
Perl A programming language On Linux, install the For more information or help 
developed by Larry Wall associated RPM files. understanding and using Perl, 
that search the Web. There are 
On NetWare, refer to the numerous articles and 
* Runs faster than instructions on the Novell tutorials on using this versatile 
shell script programs. Developer Web site programming language. 
(http:// 


* Reads and writes 


binary files. developer.novell.com/ 


ndk/doc/perl5/prl57enu/ 
* Processes very large data/h4cr34aj.html). 


files. 

* Lets you quickly 
develop CGI 
applications. 

QuickFinder * Create search 1. Ina Supported Web For more information, see the 
Server Manager indexes for any Web Browser, enter the — QuickFinder Server 
site or attached file following URL: Administration Guide. 
systems. 
- http:// 

. Modify the search IP or DNS/ 
dialog look-and-feel arsenal dns 
to match your 
corporate 2. Doone of the 
design.Create full- following: 
text indexes of 
HTML, XML, PDF, On NetWare, 
Word, specify the 
OpenOffice.org, and eDirectory Admin 
many other user and password. 
document formats. 

or 


* Configure and 
maintain your 
indexes remotely 
from anywhere on 
the Net. 


On Linux, specify 
the root or other 
user as 
documented. 
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Tool Tasks 
RConsoleJ * Access NetWare 
(NetWare) servers remotely. 


* Run server utilities 
from a workstation. 


Access Method or URL/ 
Username 


1. Load the rconag6 
NLM on the 
NetWare server. 


2. Ata workstation, 


map a drive to the 


server and run 
rconj.exe from 


sys: \public\mg 
mt\consoleone\ 


1.2. 
3. When prompted, 


enter the server's IP 


address or DNS 
name (with no 
leading http or 
https) and your 
administrator 


password, and then 


click Connect. 


Notes 


For more information, see 
“Managing NetWare Servers 
Remotely” in the Remote 
Server Management for 
NetWare Administration 
Guide for OES. 


See Novell Remote Manager. 


Remote 

Manager 

SNMP for Lets you use standard 
eDirectory SNMP tools to 


* Monitor an 
eDirectory server. 


* Track the status of 
eDirectory to verify 
normal operations. 


* Spot and react to 
potential problems 
when they are 
detected. 


* Configure traps and 
statistics for selective 
monitoring. 


* Plot a trend on the 
access of eDirectory. 


* Store and analyze 
historical data that 
has been obtained 
through SNMP. 


* Use the SNMP 
native master agent 
on all eDirectory 
platforms. 
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1. Configure SNMP for 


eDirectory as 
documented for 
your platform. 


2. Access SNMP for 
eDirectory services 


using the SNMP 
management 
interface of your 
choice. 


3. Specify the 
eDirectory Admin 
username and 
password. 


SNMP support is installed with 
eDirectory. 


For more information on 
SNMP for eDirectory, see 
"SNMP Support for Novell 
eDirectory" in the Novell 
eDirectory 8.7.3 
Administration Guide. 


Access Method or URL/ 


Tool Tasks Notes 
Username 

SUSE® LINUX Manage the Linux Enter the desired For more information, see 
Monitoring server and standard command at the shell “System Monitoring Utilities” 
Utilities Linux services from prompt. in the SUSE LINUX 

the shell prompt. Enterprise Server 9 

Administration Guide. 
TCP/IP Add a new network 1. In a Supported Web For more information, see 
Configuration card. Browser, enter the “Monitoring TCP/IP 
(NetWare - A iate TCP/IP following URL: Information” in the Novell 
NRM) S i ard TCP/ IP Administration Guide 
p https:// for OES. 


network card. 


Edit system files. 


IP or DNS:8009 
/webcfg 


Enable and configure 2. Specify the 
TCP/IP. eDirectory Admin 
Configure network username ang 
management password. 
parameters. 
Copy configuration 
information to or from 
a diskette. 
Modify the hardware 
parameters of an 
existing network 
card. 
TCP/IP Protocol Monitor protocol 1. In a Supported Web For more information, see 
Information information. Browser, enter the “Web-based TCP/IP 
(NetWare - following URL: Monitoring "in the Novell TCP/ 
NRM) IP Administration Guide for 
https:// OES 
IP or DNS:8009 
/protocols 
2. Specify the 
eDirectory Admin 
username and 
password. 
Tomcat Admin * Manage the Tomcat 1. Ina Supported Web For more information, see 
(NetWare) servlet container on a Browser, enter the “Managing Web Applications 
NetWare server. following URL: and Servlets" in the Tomcat 
for NetWare Administration 
https:// Guide for OES. 
IP or DNS/ 
tomcat/admin/ 
index.jsp 
2. Specify the 


eDirectory Admin 
username and 
password. 
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Tool Tasks 


Tomcat Manager * Install and deploy 


Access Method or URL/ 


Notes 
Username 


1. Ina Supported Web For more information, see 


(NetWare) Web applications. Browser, enter the “Managing Tomcat with 
following URL: Tomcat Admin" in the Tomcat 
for NetWare Administration 
http:// Guide for OES. 
IP or DNS/ 
tomcat/ 
manager/html/ 
list 
2. Specify the 
eDirectory Admin 
username and 
password. 
YaST (SUSE * Install OES Linux. To access YaST from the For more information, see 
LINUX) KDE interface, start the “YaST - Configuration" in the 


* Configure the server 
and standard Linux 
services. 


* Install and configure 
OES components 
and services. 
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YaST Control Center SUSE LINUX Enterprise 
from the SUSE menu Server 9 Administration 
(System > YaST). Guide. 


To access YaST ata shell 
prompt, enter yast. 


Identity and Directory Services 


Novell® Open Enterprise Server (OES) identity and directory services are explained in the 
following sections: 


* Chapter 15, “eDirectory,” on page 107 

* Chapter 16, “Identity Management Services,” on page 111 

* Chapter 17, “LDAP (eDirectory),” on page 115 

* Chapter 18, “Linux Access for eDirectory Users (LUM),” on page 117 
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eDirectory 


Novell® eDirectory™ is the central, key component of Novell Open Enterprise Server (OES) and 
provides the following: 


* Centralized identity management 
* The underlying infrastructure for managing your network servers and the services they provide 


* Access security both within the firewall and from the Web 
This section discusses the following tasks: 


* Section 15.1, “Managing eDirectory,” on page 107 
* Section 15.2, "Planning Your eDirectory Tree," on page 107 
* Section 15.3, “eDirectory Coexistence and Migration," on page 107 


* Section 15.4, *Creating Users and Groups," on page 109 


15.1 Managing eDirectory 


iManager is the OES eDirectory management tool and is used for all eDirectory management and 
most OES component management tasks, including the following: 


* Creating eDirectory objects, including User and Group objects 
* Managing eDirectory objects 
* Configuring and managing OES service component controls in eDirectory 


* Accessing other OES component management tools 


For information on using iManager, see the Novell iManager 2.5 Administration Guide. 


15.2 Planning Your eDirectory Tree 


If you don't have eDirectory installed on your network, it is critical that you and your organization 
take time to plan and design your eDirectory tree prior to installing OES. 


The Lab Guide for OES SP2 Linux and Lab Guide for OES NetWare both provide an introduction to 
eDirectory planning that you might find useful for getting started with eDirectory. 


For detailed information on getting started using eDirectory, see "Installing or Upgrading Novell 
eDirectory on Linux" in the Novell eDirectory 8.7.3 Installation Guide. 


15.3 eDirectory Coexistence and Migration 


The following sections summarize eDirectory coexistence and migration considerations. 


15.3.1 Coexistence 


The following table lists the operating systems and eDirectory versions that OES NetWare? and 
OES Linux have been tested with (and found to be compatible with): 
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Platform 


NetWare 6.5 SP2 


eDirectory Version 


eDirectory 8.7.3 IR2 (eDirectory 8.7.3.2) 


NetWare 6.0 SP5 


eDirectory 8.6.2 


NetWare 5.1 SP8 


eDirectory 8.7.3 


NetWare 5.1 SP7 


eDirectory 8.7.3 


NetWare 5.1 NDS® 8 (must have latest NDS 8 and eDirectory 8.7 schema 
extensions) 

NetWare 4.2 NDS 6 (6.21 or later) 

SLES 9 eDirectory 8.7.3 


SUSE® LINUX Professional 9.1 


eDirectory 8.7.3 


Red Hat* AS 3.0 


eDirectory 8.7.3 IR 3 (eDirectory 8.7.3.3) 


Windows 2003 Server 


eDirectory 8.7.3 IR 3 (eDirectory 8.7.3.3) or later 


Windows 2003 Server 


Active Directory (synchronized users via Identity Manager) 


Windows 2000 Advanced Server 


eDirectory 8.7.3 IR 3 (eDirectory 8.7.3.3) or later 


Windows NT 


NT Domain (synchronized users via Identity Manager) 


NetWare Coexistence Issues 


* On NetWare, use Deployment Manager to check the tree for the correct versions of NDS/ 
eDirectory and to determine if the needed schema extensions are present. 


There are several issues with NetWare 5.1 SP7 and NDS 8 regarding SLP and LDAP 


authentication. If you cannot upgrade to NetWare 5.1 SP8, apply the sas.nlm and SLP modules 
from NetWare 5.1 SP8 for LDAP and SLP compatibility. 


If the sas.nlm module is not applied, an OES Linux server installed into a NetWare 5.1 SP7 tree 
hangs during installation during LDAP authentication. If the SLP modules are not applied, the 
NetWare 5.1 SP7 server might not be able to work correctly with the Linux version of 


OpenSLP. 


Linux Coexistence Issues 


There are no known eDirectory coexistence issues. 


15.3.2 Migration 


This section provides information on migrating a previous installation of eDirectory to the OES 


version (eDirectory 8.7.3 IR5). 


NetWare Caveats 


For NetWare, a migration is the same as an Upgrade. For instructions, see “Upgrading to OES 
NetWare” in the OES NetWare Installation Guide. 
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Linux Caveats 


* Upgrades from Novell Nterprise Linux Services (NNLS) are not supported, but upgrades from 
SLES 9 with eDirectory 8.7.3 to OES Linux are supported. 


If you attempt to install OES Linux on a server that already has eDirectory 8.7.3 installed, the 
eDirectory included with OES (eDirectory 8.7.3 IR 5) overwrites the previous eDirectory 
installation. You should install OES on a clean computer. Do not try to upgrade eDirectory. 


Installing OES Linux into a NetWare 6.5 SP2 tree causes the NetWare server to abend due to an 
issue in NetWare 6.5 SP2 that is fixed in NetWare 6.5 SP3 and later. 


Before installing an OES Linux server into a NetWare 6.5 SP2 tree, upgrade any NetWare 6.5, 
NetWare 6.5 SP1, and NetWare 6.5 SP2 LDAP servers that will be pointed to by the OES 
installation to NetWare 6.5 SP3 or later. 


15.4 Creating Users and Groups 


All OES components require that you create User objects to represent the users on your system. The 
Linux User Management (LUM) and Samba components on OES Linux also require that you create 
a Linux-enabled Group object that you can assign the users to. 


In addition to these basic objects, it is usually helpful to organize your tree structure using 
Organizational Unit objects to represent the structure of your organization and to serve as container 
objects to help manage the users, groups, servers, printers, and other organization resources you 
manage through eDirectory. 


The Lab Guide for OES Linux and Lab Guide for OES NetWare both provide basic instructions for 
creating container objects as well as Group and User objects in eDirectory. 


For more information about Linux User Management, see Section 18.4, “LUM Implementation 
Suggestions,” on page 122. 


For more information about Samba, see Creating and Enabling Samba Users and Groups in the 
Samba Administration Guide for OES Linux SP2. 


For detailed information on understanding, creating, and managing the various objects your 
organization might require, see the Novell eDirectory 8.7.3 Installation Guide. 
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Identity Management Services 


Providing network users with a network identity is a fundamental expectation for networking, but it 
can also become confusing when users need to track multiple identities to use network services. 
When you add the traditional POSIX users found on Linux systems to the mix, the picture becomes 
even more complex. 


The identity management services provided by Novell® Open Enterprise Server (OES) leverage 
Novell eDirectory™ to simplify and customize identity management to fit your needs: 


* [f you currently store and manage all your users and groups in eDirectory, you can continue to 
do so. 


If you use Novell Client™ software to provide network file and print services, you can now 
provide seamless file and print access to OES Linux servers using the NCP™ server for Linux 
and iPrint services. For more information, see Section 35.6, “NCP Implementation and 
Maintenance,” on page 224 and Chapter 36, “Print Services,” on page 233. 


If you want eDirectory users to have access to OES Linux services that require POSIX 
authentication, you can enable the users for Linux access. For more information, see Chapter 
18, “Linux Access for eDirectory Users (LUM),” on page 117. 


If you need to store and manage users in multiple directories, you can greatly strengthen your 
organization’s security and dramatically decrease your identity management costs by deploying 
Novell Identity Manager 3.0.1 (IDM3). 


The following section discusses the Identity Manager 3.0.1 Bundle Edition and provide more 
information regarding IDM3: 


16.1 Using Identity Manager 3.0.1 Bundle Edition 


Novell® Identity Manager is a data-sharing solution that leverages the Identity Vault to synchronize, 
transform, and distribute information across applications, databases, and directories. 


The Identity Manager Bundle Edition provides licensed synchronization of information (including 
passwords) held in NT Domains, Active Directory Domains, and eDirectory™ systems. When data 
from one system changes, Identity Manager detects and propagates these changes to other connected 
systems based on the business policies you define. 


In this section: 
* Section 16.1.1, “What Am I Entitled to Use?,” on page 112 
* Section 16.1.2, "System Requirements," on page 112 
* Section 16.1.3, "Installation Considerations," on page 112 
e Section 16.1.4, “Getting Started,” on page 112 
* Section 16.1.5, "Activating the Bundle Edition," on page 113 
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16.1.1 What Am I Entitled to Use? 


The Bundle Edition allows you to use the Identity Manager engine and the following Identity 
Manager drivers: 

* [dentity Manager Driver for eDirectory 

* [dentity Manager Driver for Active Directory 

* [dentity Manager Driver for NT 
Other Identity Manager Integration Modules (drivers) are included in the software distribution. You 


can install and use these additional Integration Modules for 90 days, at which time you must 
purchase Novell Identity Manager 3.0.1 and the Integration Module you want to use. 


The service drivers (Loopback, Manual Task, and Entitlements) are not included as part of the 
license agreement for the Bundle Edition. In order to use these drivers, you must purchase /dentity 
Manager. 


16.1.2 System Requirements 


For the latest Identity Manager system requirements, see the /dentity Manager Installation Guide 
(http://www.novell.com/documentation/idm/install/data/b2mbjps.html#b2mi0am). 


The Bundle Edition does not include Solaris or AIX support. If you would like to run the 
Metadirectory engine or Integration Modules on these platforms, you must purchase Novell Identity 
Manager. 


16.1.3 Installation Considerations 


Novell Identity Manager 3 Bundle Edition contains components that can be installed within your 
environment on multiple systems and platforms. Depending on your system configuration, you 
might need to run the installation program several times to install Identity Manager components on 
the appropriate systems. 


In order for the product to be activated, you must install Open Enterprise Server before installing the 
Identity Manager Bundle Edition. For more information on Activation issues, see Section 16.1.5, 
“Activating the Bundle Edition,” on page 113. 


16.1.4 Getting Started 


The following sections are from the Novell Identity Manager Administration Guide and will help 
you plan, install, and configure your Identity Manager Bundle Edition. 
* Overview (http://www.novell.com/documentation/idm/install/data/b2m4ol7 .html#b2m40l7) 


* Planning Your Implementation (http://www.novell.com/documentation/idm/install/data/ 
anhomxn.html) 


Installing Identity Manager (http://www.novell.com/documentation/idm/install/data/ 
a7c9ie0.html) 


Installing Active Directory, NT, and eDirectory Drivers (http://www.novell.com/ 
documentation/idmdrivers/index.html) 
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* Setting Up a Connected System (http://www.novell.com/documentation/idm/admin/data/ 
bs35pi0.html#bs35pi0) 


* Password Synchronization across Connected Systems (http://www.novell.com/documentation/ 
idm/admin/data/an4bz0u.html) 


* Logging and Reporting Using Novell Audit (http://www.novell.com/documentation/idm/ 
admin/data/botc9uj.html) 


For information about customizing your implementation: 


* Policy Builder and Driver Customization Guide (http://www.novell.com/documentation/idm/ 
policy/data/front.html) 


16.1.5 Activating the Bundle Edition 


If you choose to purchase additional Identity Manager Integration Modules, you need to install the 
activation credential for those Integration Modules and also the credential for Novell Identity 
Manager. See Activating Identity Manager Products Using a Generic Credential (http:// 
www.novell.com/documentation/idm/install/data/brphShb.html#brphShb) for more information on 
activating other Identity Manager products 


Frequently Asked Questions about Activation 


Do I need to Install Identity Manager on a specific server? 


Yes. As a Bundle Edition user, you must install Identity Manager on the server where you installed 
Open Enterprise Server. In order for activation to work properly, you must install Identity Manager 
on Linux or NetWare, and create a driver set on that server. 


l installed the Bundle Edition on Linux or NetWare, but it's not activated. Why is this? 


You must install the Bundle Edition on the server where OES exists. If you install it on a non-OES 
server, the Bundle Edition cannot activate. 


Can | run Identity Manager on a Windows Server? 


Not with the Bundle Edition. However, you can still synchronize data held on a Windows server by 
using the Identity Manager Remote Loader service. The Remote Loader enables synchronization 
between the DirXML Engine (on your Linux or NetWare server) and a remote driver (on the 
Windows server.) See Setting Up Remote Loaders (http://www.novell.com/documentation/idm/ 
admin/data/bs35pip.html#bs35pip) for more information. 


In order to run Identity Manager on a Windows server, you need to purchase Novell Identity 
Manager. 


Can | run Identity Manager on a Solaris or AIX Server? 


Not with the Bundle Edition. However, you can still synchronize data held on these platforms by 
using the Identity Manager Remote Loader service. The Remote Loader enables synchronization 
between the Metadirectory Engine and a remote driver (on the Solaris or AIX server.) See Setting 
Up Remote Loaders (http://www.novell.com/documentation/idm/admin/data/ 
bs35pip.html#bs35pip) for more information. 
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In order to run Identity Manager on Solaris or AIX, you need to purchase Novell Identity Manager. 


My drivers stopped working. What happened? 


You might have installed the Bundle Edition on a non-OES server. The Bundle Edition must be 
installed on your Linux or NetWare server where OES exists. If Identity Manager is installed on a 
non-OES platform, activation cannot work. After 90 days, your drivers will stop running. 


| purchased an additional Integration Module. Why doesn't it work? 


With your OES purchase, you are entitled to use the Bundle Edition products. If you want to add 
new Integration Modules, you also need to purchase Novell Identity Manager. The Integration 
Module cannot activate until you purchase Novell Identity Manager. 


If | purchase a license for Novell Identity Manager and a license for an additional 
Integration Module, do I need to re-install the software? 


No, you just need to install the activation credentials associated with your purchase. 


How do I know what's activated? 


For information about how to view currently activated products, see Viewing Product Activations 
(http://www.novell.com/documentation/idm/install/data/agfhtax.html#agfhtax). 


114 Novell OES SP2 Planning and Implementation Guide 


LDAP (eDirectory) 


This section contains information about LDAP support in OES. 


* Section 17.1, “Overview of eDirectory LDAP Services," on page 115 

* Section 17.2, “Planning eDirectory LDAP Services,” on page 115 

* Section 17.3, “Coexistence and Migration of eDirectory LDAP Services," on page 115 
* Section 17.4, “eDirectory LDAP Implementation Suggestions,” on page 115 


17.1 Overview of eDirectory LDAP Services 


Lightweight Directory Access Protocol (LDAP) Services for Novell® eDirectory™ is a server 
application that lets LDAP clients access information stored in eDirectory. 


Most OES services leverage the LDAP server for eDirectory for authentication as illustrated in the 
service overviews in this guide. 


17.2 Planning eDirectory LDAP Services 


LDAP for eDirectory provides LDAP authentication for the objects stored in eDirectory. As you 
plan your eDirectory tree, be sure you understand the information in “Understanding LDAP 
Services for Novell eDirectory” in the Novell eDirectory 8.7.3 Administration Guide. 


17.3 Coexistence and Migration of eDirectory 
LDAP Services 


If you have users in an OpenLDAP database and you want to migrate them to eDirectory, you can 
use the Novell Import Conversion Export (ICE) Utility. 


For more information, see “Novell Import Conversion Export Utility” in the Novell eDirectory 8.7.3 
Administration Guide. 


17.4 eDirectory LDAP Implementation 
Suggestions 


For help with setting up and using LDAP for eDirectory, refer to the following sections in the Novell 
eDirectory 8.7.3 Administration Guide: 
* “Loading and Unloading LDAP Services for eDirectory” 
* “Verifying That the LDAP Server Is Loaded" 
* “Verifying That the LDAP Server Is Running” 
* “Configuring LDAP Objects” 
“Refreshing the LDAP Server” 
* "Authentication and Security” 


“Using the LDAP Server to Search the Directory” 
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* "Configuring for Superior Referrals" 
* "Persistent Search: Configuring for eDirectory Events" 
* “Getting Information about the LDAP Server" 
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Linux Access for eDirectory Users 
(LUM) 


Just as users and groups on NetWare® servers are managed through eDirectory™, users and groups 
on Linux servers are managed according to the POSIX (Portable Operating System Interface) 
standard. 


Because Open Enterprise Server provides services running on both Linux and NetWare, Novell® has 
developed a technology that lets eDirectory users also function as “local” POSIX users on Linux 
servers. This technology is called Linux User Management or LUM. 


The following sections outline the basic principles involved in Novell LUM and cover the following 
topics: 

* Section 18.1, “Overview,” on page 117 

* Section 18.2, "Planning," on page 121 

* Section 18.3, “Coexistence and Migration," on page 122 


* Section 18.4, “LUM Implementation Suggestions," on page 122 


18.1 Overview 


The topics in this section are designed to help you understand when Linux-enabled access is 
required so that your network services are accessible and work as expected. For more information 
about Linux User Management, see “Overview” in the Novell Linux User Management Technology 
Guide. 
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18.1.1 A Graphical Preview of Linux User Management 


Figure 18-1 illustrates how Linux User Management controls access to the OES server. 


Figure 18-1 LUM Provides POSIX Access for eDirectory Users 
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The following table explains the information presented in Figure 


Valid POSIX Users 


Some services on OES Linux 
servers must be accessed by 
POSIX users. 


eDirectory users can function as 
POSIX users if they are enabled 
for Linux access. 


Authentication 


When the system receives an 
action request, it can authenticate 
both local POSIX users and users 
who have been enabled for Linux 
access. 


18.1.2 Linux Requires POSIX Users 


login, su, passwd, 
ftp, sshd, rsh, 
rlogin 


Samba Share 


Novell Remote 


Services 


PAM-Enabled 


Services 


OES Linux 
server 


Manager 


18-1. 


eDirectory Authenticated Services 


Users can potentially access 
PAM-enabled services, Samba 
shares, and Novell Remote 
Manager as either local or 
eDirectory users. 


The passwd command is not 
enabled for eDirectory access 
because eDirectory passwords 
are maintained in eDirectory, not 
on the local server. 


Linux requires that all users be defined using standard POSIX attributes, such as username, user ID 
(UID), primary group ID (GID), password, and other similar attributes. 
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18.1.3 Linux Users Can Be Local or Remote 


Users that access a Linux server can be created 


* Locally (on the server): Local users are managed at a shell prompt (using commands such as 
useradd) or in YaST. (See the useradd(8) man page and the YaST online help for more 
information.) These local users are stored in the /etc/passwd file. (See the passwd(5) man 
page for more information.) 


* Remotely (off the server): Remote users can be managed by other systems, such as LDAP- 
compliant directory services. Remote user access is enabled through the Pluggable 
Authentication Module (PAM) architecture on Linux. 


The Linux POSIX-compliant interfaces can authenticate both kinds of users, independent of where 
they are stored and how they are managed. 


18.1.4 About Service Access on OES Linux 


Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users 
for access to one or more OES Linux servers. 


Said another way, LUM lets eDirectory users function as local (POSIX) users on an OES Linux 
server. Access is enabled by leveraging the Linux Pluggable Authentication Module (PAM) 
architecture. PAM makes it possible for eDirectory users to authenticate with the OES Linux server 
through LDAP. 


In OES, the terms LUM-enabling and Linux-enabling are both used to describe the process that adds 
standard Linux (POSIX) attributes and values to eDirectory users and groups, thus enabling them to 
function as POSIX users and groups on the server. 


You can use iManager to enable eDirectory users for Linux. For instructions, see Section 18.4.1, 
“About Enabling eDirectory Users for Linux Access,” on page 122. 


18.1.5 Services in OES Linux That Require Linux-Enabled 
Access 


Some services on an OES Linux server require that eDirectory users be Linux-enabled: 


* Core Linux Utilities Enabled for LUM: These are the core utilities and other shell 
commands that you specified during the OES install to be enabled for authentication through 
eDirectory LDAP. In Linux, these are known as PAM-enabled utilities. 


IMPORTANT: Before you accept the default PAM-enabled service settings, be sure you 
understand the security implications explained in Section 30.1.3, “User Restriction 
Limitations," on page 163. 


The core utilities available for LUM-enablement are summarized in Table 18-1. 
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Table 18-1 PAM-enabled Services Controlled by LUM 


Command Where Executed Task 
ftp Another host Transfer files to and from the OES server which, 
in this case, is a remote host. 
login * OES server Log in to the OES server, either directly or in an 
- SSH session with OES SSH session with the server. 
server 
passwd * OES Change the POSIX password. 
* SSH session with OES 
server 
rlogin Another host Log in to the OES server which, in this case, is a 
remote host. 
rsh Another host Execute a command at the OES server which, in 
this case, is a remote host. 
sshd Another host Establish a secure encrypted connection with the 
OES server which, in this case, is a remote host. 
su * OES server Temporarily become another user. 
* SSH session with OES This is most often used to temporarily become 
server 


the root user, who is not a LUM user and is, 
therefore, not affected by LUM. 


NOTE: Logging in to the OES Linux server through a PAM-enabled service for the first time 


causes the creation of a home directory. 


* Novell Samba (SMB/CIFS) Shares on the Server: Windows workgroup users who need 


access to Samba shares defined on the server must also be Linux-enabled eDirectory users who 


are configured to access the server. This is because Samba requires POSIX identification for 


access. 


By extension, NetStorage users who need access to SMB/CIFS Storage Location objects that 


point to the server, must also be LUM-enabled eDirectory users with access to the server. 


NOTE: Although Samba users must be enabled for Linux, Samba is not a PAM-enabled 


service. Logging in to the OES Linux server through Samba will not create a home directory. 


* Novell Remote Manager (NRM) on Linux: You can access NRM as 


* The root user with rights to see everything on the Linux server. 


* A local Linux user with access governed by POSIX access rights. 


* ALUM-enabled eDirectory user, such as the Admin user created during the install. 


* Novell Storage Management Services (SMS) on Linux: You can access SMS utilities as 


* The root user with rights to see everything on the Linux server. 


* A local Linux user with access governed by POSIX access rights. 


* ALUM-enabled eDirectory user, such as the Admin user created during the install. 
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18.1.6 Services That Do Not Require Linux-Enabled Access but 
Have Some LUM Requirements 
Some services do not require eDirectory users to be Linux enabled for service access: 


* QuickFinder, Novell iFolder 2.1x, and Other Web Services: If only local users access these 
Web services, Linux-enabling doesn't apply because the users are not remote eDirectory users. 


NCP Server: The NCP™ server that has been ported to Linux remains tightly integrated with 
eDirectory and does not require eDirectory users to be Linux enabled. 


However, when NCP volumes are created that point to partitions other than NSS on the server, 
not all features are available if the eDirectory user is not Linux enabled. For example, cross- 
protocol access is not possible if the user is not Linux enabled. 


NSS: eDirectory users that access NSS volumes directly using NCP (the Novell Client™) are 
not required to be Linux enabled. 


However, if any other file access protocol is used to access NSS through the virtual file system 
layer that makes NSS appear to be a POSIX-compliant file system, then the users must be 
Linux enabled. 


IMPORTANT: Although the services in this section do not require Linux-enabled access, the 
services themselves run as POSIX-compliant system users who function on behalf of the end users 
that are accessing the service. 


If the services must access NSS volumes, then the system users must be Linux enabled because only 
eDirectory users can access NSS volumes. 


For more information, see Appendix F, *OES System Users and Groups," on page 255. 


18.1.7 Linux Access Is Not Global Access to OES Linux 
Servers 
As you plan to Linux enable users for access to these services, keep in mind that each OES Linux 


server that Linux-enabled users need to access must be associated with a Linux-enabled group that 
the users belong to. 


In other words, it is not sufficient to Linux-enable users for access to a single OES Linux server if 
they need access to multiple servers. An association between the Linux-enabled group that the users 
belong to and the eDirectory UNIX Workstation object associated with the server must be formed 
using iManager for each server the users need access to. This can be accomplished for multiple 
servers using the process described in Section 18.4.3, “Enabling Users to Access Multiple OES 
Linux Servers," on page 123. 


For more information on LUM, see the Novell Linux User Management Technology Guide. 


18.2 Planning 


The following sections summarize LUM planning considerations. 
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18.2.1 eDirectory Admin User Is Automatically Enabled for 
Linux Access 


When you install Linux User Management on an OES Linux server, the Admin User object that 
installs LUM is automatically enabled for eDirectory LDAP authentication to the server. 


18.2.2 Planning Which Users to Enable for Access 


You need to identify the users (and groups) who need eDirectory LDAP access to OES Linux 
servers. 


This can be easily determined by doing the following: 


1. Review the information in Section 18.1.5, “Services in OES Linux That Require Linux- 
Enabled Access,” on page 119. 


2. Identify the servers that will run the services mentioned. 


3. On your planning sheets, note the users and groups that you need to enable and the servers you 
need to enable them to access. 


18.3 Coexistence and Migration 


For coexistence and migration information, see “Understanding the Need for Linux Enabling Users” 
in the Novell Server Consolidation and Migration Toolkit Administration Guide. 


18.4 LUM Implementation Suggestions 


The following sections summarize LUM implementation considerations. 


Section 18.4.1, “About Enabling eDirectory Users for Linux Access,” on page 122 


Section 18.4.2, “UNIX Workstation vs. Linux Workstation (Naming Discrepancy),” on 
page 123 


Section 18.4.3, “Enabling Users to Access Multiple OES Linux Servers,” on page 123 


Section 18.4.4, “Enabling eDirectory Groups for Linux Access,” on page 123 


Section 18.4.5, “Enabling eDirectory Users for Linux Access,” on page 124 
Section 18.4.6, “Refreshing the User List in the KDE Login Screen,” on page 125 


18.4.1 About Enabling eDirectory Users for Linux Access 


You can enable eDirectory users for Linux User Management using either iManager 2.5 or the 
nambulkadd command. 


e iManager: You can enable existing eDirectory users for Linux access using the Linux User 
Management tasks in iManager. 


You can enable multiple users in the same operation as long as they can be assigned to the same 
primary Linux-enabled group. The enabling process lets you associate the group with one or 
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more OES Linux servers or Linux workstations. For more information, see Section 18.4.3, 
“Enabling Users to Access Multiple OES Linux Servers,” on page 123. 


nambulkadd: If you have eDirectory users and groups that need to be enabled for Linux 
access, you can use the nambulkadd command to modify multiple objects simultaneously. For 
more information, see the Novell Linux User Management Technology Guide. 


18.4.2 UNIX Workstation vs. Linux Workstation (Naming 
Discrepancy) 


When using iManager to manage OES Linux access, you might notice a discrepancy in naming. 


When OES Linux servers are created, a UNIX Workstation - server_name object is created in 
eDirectory, where server_name is the DNS name of the OES Linux server. The iManager Linux 
User Management plug-in refers to these server objects as “Linux Workstation" objects. 


Both “UNIX Workstation" and “Linux Workstation" refer to the same eDirectory objects. 


18.4.3 Enabling Users to Access Multiple OES Linux Servers 


IMPORTANT: Users gain server access through their Linux-enabled group assignment rather than 
through a direct assignment to the UNIX Workstation (Linux Workstation) objects themselves. 


You can enable users for access to multiple OES Linux servers by associating the Linux-enabled 
group to which users belong with each UNIX Workstation (Linux Workstation) object you want 
users to have access to. 


18.4.4 Enabling eDirectory Groups for Linux Access 


There are two methods for enabling eDirectory groups for Linux access: 


Using LUM Utilities at the Shell Prompt to Enable/Create Multiple Groups 


Novell Linux User Management includes utilities for creating new Linux-enabled groups, and for 
enabling existing eDirectory groups for Linux access. 


The nambulkadd utility lets you use a text editor to create a list of groups you want enabled for 
Linux access. For more information, see “nambulkadd” in the Novell Linux User Management 
Technology Guide. 


IMPORTANT: Be sure to include a blank line at the end of each text file. Otherwise, the last line of 
the file won't be processed properly. 


The namgroupadd utility lets you create a new Linux-enabled group or enable an existing eDirectory 
group for Linux access. For more information, see “namgroupadd” in the Novell Linux User 
Management Technology Guide. 
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Using iManager 


The following steps assume that the eDirectory Group objects already exist and that any User 
objects you want to enable for Linux also exist and have been assigned to the groups. 

1 Log in to iManager as the eDirectory Admin user or equivalent. 

2 Click Linux User Management > Enable Groups for Linux. 

3 Browse to and select one or more Group objects, then click OK. 

4 


If you want all users assigned to the group to be enabled for Linux, make sure the Linux-Enable 
All Users in These Groups option is selected. 


5 Click Next twice. 


6 Browse to and select one or more UNIX Workstation (OES Linux server) objects, then click 
OK. 


7 Click Next, click Finish, then click OK. 


18.4.5 Enabling eDirectory Users for Linux Access 


There are two methods for enabling eDirectory users for Linux access: 


Using LUM Utilities at the Shell Prompt to Enable/Create Multiple Users 


Novell Linux User Management includes utilities for creating new Linux-enabled users, and for 
enabling existing eDirectory users for Linux access. 


The nambulkadd utility lets you use a text editor to create a list of users you want enabled for Linux 
access. For more information, see “nambulkadd” in the Novell Linux User Management Technology 
Guide. 


IMPORTANT: Be sure to include a blank line at the end of each text file. Otherwise, the last line of 
the file won’t be processed properly. 


The namuseradd utility lets you create a single Linux-enabled user or enable an existing eDirectory 
user for Linux access. For more information, see “namuseradd” in the Novell Linux User 
Management Technology Guide. 


Using iManager 
The following steps assume that the eDirectory User objects already exist. 


1 Log in to iManager as the eDirectory Admin user or equivalent. 
2 Click Linux User Management > Enable Users for Linux. 
3 Browse to and select one or more User objects, then click OK. 
4 Click Next. 
5 Asindicated, you can do the following: 
* Select and enable an existing eDirectory group for Linux. 
* Select an eDirectory group that is already enabled for Linux. 
* Specify the name and context of a new eDirectory group to create and enable for Linux. 


Select the option that matches your requirements. 
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6 Click Next. 

7 Browse to and select one or more UNIX Workstation (OES Linux server) objects, then click 
OK. 

8 Click Next, click Finish, then click OK. 


18.4.6 Refreshing the User List in the KDE Login Screen 


After you create and enable an eDirectory user for Linux access, the user doesn’t initially appear on 
the KDE Login screen. However, the user has Linux access and can log in. 


If you want the user to appear in the list, you can refresh the list by logging in as the root user and 
restarting the namcd process. 


At a shell prompt, enter the following command: 


/etc/init.d/namcd restart 


Linux Access for eDirectory Users (LUM) 125 


126 Novell OES SP2 Planning and Implementation Guide 


Infrastructure Services 


Chapter 19, “Auditing,” on page 129 

Chapter 20, “Authentication,” on page 131 

Chapter 21, “Backup,” on page 135 

Chapter 22, “Clustering and Failover,” on page 137 
Chapter 23, “Databases,” on page 139 

Chapter 24, “DNS, DHCP, and OpenSLP,” on page 141 
Chapter 25, “File Systems and Storage Services,” on page 143 
Chapter 26, *IPX and TCP/IP,” on page 153 

Chapter 27, “iSCSI,” on page 155 

Chapter 28, “Licensing,” on page 157 

Chapter 29, “Search,” on page 159 

Chapter 30, “Security,” on page 161 

Chapter 31, “Time Synchronization,” on page 169 
Chapter 32, “Web and Application Services,” on page 183 
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Auditing 


OES NetWare includes NSure Audit 1.0.3 Starter Pack, and the applicable documentation is 
included in the OES documentation set. For direct links to the documentation included with OES 
NetWare, see the topics in “Auditing” in the OES online documentation. 


OES Linux does not include an audit starter pack. However, the Novell Audit 2.0 Starter Pack is 
supported on OES Linux and is available for download at no cost from the Novell Download Site 
(http://www.novell.com/downloads). Documentation for Novell Audit 2.0 is available on the Novell 
Documentation Web site (http://www.novell.com/documentation/novellaudit20/treetitl. html). 
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Authentication 


This section contains the following topics: 


* Section 20.1, “Overview of Authentication Services,” on page 131 
* Section 20.2, “Planning for Authentication," on page 133 
* Section 20.3, "Authentication Coexistence and Migration," on page 134 


* Section 20.4, "Configuring and Administering Authentication," on page 134 


20.1 Overview of Authentication Services 


This section provides specific overview information for the following key OES components: 


* Section 20.1.1, *NetIdentity Agent," on page 131 
* Section 20.1.2, "Novell Modular Authentication Services (NMAS)," on page 131 
* Section 20.1.3, "Password Support in OES," on page 132 


For more authentication topics, *Access, Authenticate, Log in" in the OES online documentation. 


20.1.1 Netldentity Agent 


In OES, the NetIdentity Agent works with Novell? eDirectory™ authentication to provide 
background authentication to Windows Web-based applications that require eDirectory 
authentication through a secure identity “wallet” on the workstation. Applications access the 
eDirectory credentials without prompting users for a username and password. 


The NetIdentity Agent supports applications running on OES server platforms as follows: 


* OES Linux: NetStorage 
e OES NetWare: Virtual Office, NetStorage, and iPrint (if authentication is required) 


NetIdentity Agent browser authentication is supported only by Windows Internet Explorer. 


The Novell Client™ provides authentication credentials to NetIdentity, but it does not obtain 
authentication credentials from NetIdentity because it is not a Web-based application. 


NetIdentity Agent requires 


* XTier (NetStorage) on the OES server in the URL for the Web-based applications. 
* The NetIdentity agent installed on the workstations. 


For more information on using the NetIdentity agent, see the Net/dentity Administration Guide for 
NetWare 6.5. 


20.1.2 Novell Modular Authentication Services (NMAS) 


Novell Modular Authentication Service (NMAS™) lets you protect information on your network by 
providing various authentication methods to Novell eDirectory on NetWare®, Windows, and UNIX 
networks. 
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These login methods are based on three login factors: 


* Password 
* Physical device or token 
* Biometric authentication 
For example: 
* You can have users log in using only a password, a fingerprint scan, a token, a smart card, a 
certificate, or a proximity card, etc. 
* Youcan have users log in using a combination of methods, thus providing a higher level of 


security. 


Some login methods require additional hardware and software. You must ensure you have all of the 
necessary hardware and software for the methods to be used. 


NMAS software consists of the following: 


* NMAS server components: Installed as part of OES. 


* The NMAS Client: Required on each Windows workstation that will be authenticating using 
NMAS. 


Support for Third-Party Authentication Methods 
NMAS includes several login methods on the Novell Client CD in the nmas\nmasmethods folder. 


Other third-party methods are available for download. For information on the available third-party 
login methods, see the NMAS Partner’s Web site (http://www.novell.com/products/nmas/partners). 
Each method has a readme.txt file or a readme . pdf file that includes specific installation and 
configuration instructions. 


More Information 


For more information on how to use NMAS, see the Novell Modular Authentication Services 
(NMAS) 2.3 Administration Guide (http://www.novell.com/documentation/1g/nmas23). 


20.1.3 Password Support in OES 


In the past, administrators have had to manage multiple passwords (simple password, NDS? 
passwords, Samba passwords) because of password differences. Administrators have also had to 
deal with keeping the passwords synchronized. 


In OES you have the choice of retaining your current password maintenance methods or deploying 
Universal Password to simplify password management. In either case, if you deploy Virtual Office, 
users can manage their own passwords. For more information, see “Change Password” in the Novell 
Virtual Office Configuration Guide. Also see “Password Self-Service" in the Novell Nsure Identity 

Manager 2.0.1 Administration Guide. 


All Novell products and services are being developed to work with extended character (UTF-8- 
encoded) passwords. For a current list of products and services that work with extended characters, 
see Novell TID 10083884 (http://support.novell.com/servlet/tidfinder/10083884). 


The password types supported in eDirectory are summarized in Table 20-1. 
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Table 20-1 eDirectory Password Types 


Password Type 


NDS 


Description 


The NDS password is stored in a hash form that is nonreversible in eDirectory. Only 
the NDS system can make use of this password, and it cannot be converted into any 
other form for use by any other system. 


Samba 


In OES, Samba users get a Universal Password policy assigned by default. 


OES also supports the Samba hash password if desired. However, you must choose 
to not deploy Universal Password if you want to use the Samba hash password. 
Choosing the Samba password requires that users always remember to synchronize 
it when changing their eDirectory password. 


For more information, see “Samba Passwords” and “The Samba Proxy User 
Password Must Be Managed Separately” in the Samba Administration Guide for 
OES Linux SP2. 


Simple 


The simple password provides a reversible value stored in an attribute on the User 
object in eDirectory. NMAS securely stores a clear-text value of the password so that 
it can use it against any type of authentication algorithm. To ensure that this value is 
secure, NMAS uses either a DES key or a triple DES key (depending on the strength 
of the Secure Domain Key) to encrypt the data in the NMAS Secret and 
Configuration Store. 


The simple password was originally implemented to allow administrators to import 
users and hashed passwords from other LDAP directories such as Active Directory 
and iPlanet*. 


The limitations of the simple password are that no password policy (minimum length, 
expiration, etc.) is enforced. Also, by default, users do not have rights to change their 
own simple passwords. 


Universal 


Universal Password (UP) enforces a uniform password policy across multiple 
authentication systems by creating a password that can be used by all protocols and 
authentication methods. 


Universal Password is managed in iManager by the Secure Password Manager 
(SPM), a component of the NMAS module installed on OES servers. All password 
restrictions and policies (expiration, minimum length, etc.) are supported. 


All the existing management tools that run on clients with the UP libraries 
automatically work with the Universal Password. 


Universal Password is not automatically enabled unless you install Novell Samba on 
an OES Linux server. You can optionally choose to have the Samba hash password 
stored separately. This requires, however, that users always synchronize the Samba 
password when changing their eDirectory password. 


The Novell Client supports the Universal Password. It also supports the NDS 
password for older systems in the network. The Novell Client automatically upgrades 
to use Universal Password when UP is deployed. 


For more information, see “Deploying Universal Password” in the Novell Modular 
Authentication Services (NMAS) 2.4 Administration Guide. 


20.2 Planning for Authentication 


For planning topics, see the “Access, Authenticate, Log in” in the OES online documentation. 
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20.3 Authentication Coexistence and Migration 


For authentication- and security-related coexistence and migration information, see “Security and 
Certificate Management” in the OES Coexistence and Migration Guide. 


20.4 Configuring and Administering 
Authentication 


For a list of configuration and administration topics, see “Access, Authenticate, Log in" in the OES 
online documentation. 
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Backup 


See the topics in “Open Enterprise Server SP2 Documentation” in the OES online documentation. 
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Clustering and Failover 


See the topics in “Clustering (High Availability)” in the OES online documentation. 
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Databases 


See the topics in “Databases” in the OES online documentation. 
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DNS, DHCP, and OpenSLP 


IMPORTANT: NetWare® uses Novell® SLP, which provides synchronization between Directory 
Agents (DAs) that are in the same eDirectory™ context. 


OpenSLP on Linux is not customized to provide DA synchronization. 


For links to documentation on these discovery protocols, see the related topics on the “Network 
Protocols” page in the OES online documentation. 
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File Systems and Storage Services 


Use this section to understand the file storage solutions available in OES and then to plan a storage 
solution that meets your file system management needs. 


The “Open Enterprise Server SP2 Documentation” section in the OES online documentation 
provides overview, planning, implementation, and configuration links. 


This section provides the following information about the process of planning and implementing 
storage services in OES: 

* Section 25.1, “Overview of OES Storage,” on page 143 

* Section 25.2, “Planning OES File Storage,” on page 147 

* Section 25.3, “Coexistence and Migration of Storage Services,” on page 148 

* Section 25.4, “Initial Setup Is Required for NetWare,” on page 149 

* Section 25.5, “Configuring and Maintaining Storage," on page 149 


Other storage-related topics in this guide: 
* Chapter 33, “Access,” on page 187 
* Chapter 20, “Authentication,” on page 131 


* Chapter 21, “Backup,” on page 135 
* Chapter 35, "File Services," on page 205 


25.1 Overview of OES Storage 


This section presents the following overview information for the file systems included in OES: 


* Section 25.1.1, *File System Support in OES," on page 144 
* Section 25.1.2, "Storage Basics by Platform," on page 146 
* Section 25.1.3, "Storage Options," on page 146 


* Section 25.1.4, “NetWare Core Protocol Support (Novell Client Support) on Linux,” on 
page 147 
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25.1.1 File System Support in OES 


As shown in Figure 25-1 on page 144, both OES server platforms support Novell® Storage 
Services™ as well as their traditional file systems. 


Figure 25-1 File System Choices on OES Servers 
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Table 25-1 summarizes OES file system types and provides links to more information. 
Table 25-1 File Systems Available on OES Servers 


File System Type Summary Link for More Information 


Linux Traditional File Systems SLES 9 supports a number of For an overview of the supported 
different file systems, the most file systems on SLES 9, see “File 
common of which are Ext2, Ext3, Systems in Linux” in the SUSE 
and Reiser FS. LINUX Enterprise Server 9 


Administration Guide. 
There are no differences in 


support for OES services on the 
various Linux traditional file 
systems. 


There are differences in service 
support between Linux Traditional 
and Novell Storage Services 
(NSS) on OES Linux. For more 
information, see Figure 25-2 on 
page 148. 


NetWare® Traditional File System Although it is considered a legacy For more information, see the 
file system on NetWare servers, NetWare Traditional File System 
the NetWare Traditional file Administration Guide for OES. 
system is still robust. And it 
supports the NetWare file service 
access model. 
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File System Type Summary Link for More Information 


Novell Storage Services (NSS) NSS lets you manage your For an overview of NSS, see 
shared file storage for any size “Overview of NSS” in the Novell 
organization. Storage Services File System 


Administration Guide for OES. 
On Netware, NSS features 


include visibility, a trustee access 
control model, multiple 
simultaneous name space 
support, native Unicode*, user 
and directory quotas, rich file 
attributes, multiple data stream 
support, event file lists, and a file 
salvage subsystem. 


Many of these features are also 
supported on NSS on Linux. For 
a feature comparison, see 
"Comparison of NSS on NetWare 
and NSS on Linux” in the Novell 
Storage Services File System 
Administration Guide for OES. 


Novell Storage Services (NSS) 


The following sections summarize key points regarding NSS. 


Understanding NSS Nomenclature 


NSS uses a specific nomenclature to describe key media objects. These terms appear in both the 
NSS documentation and in NSS error messages. 


For more information, see “NSS Nomenclature” in the Novell Storage Services File System 
Administration Guide for OES. 


Comparing NSS with Other File Systems 


Because OES supports a variety of file systems, you might want to compare their features and 
benefits as outlined in the following sections of the Novell Storage Services File System 
Administration Guide for OES: 

* NSS Linux vs. NSS NetWare: “Comparison of NSS on NetWare and NSS on Linux” 


e NSS Linux vs. Linux Traditional: “Comparison of NSS for Linux and Linux Traditional File 
Systems” 


* NSS Netware vs. NetWare Traditional: “Comparison of NSS on NetWare and the NetWare 
Traditional File System” 


NSS and Storage Devices 


NSS supports both physical devices (such as hard disks) and virtual devices (such as software 
RAIDs and iSCSI devices). 


For more information on the various devices that NSS supports, see “Managing Devices” in the 
Novell Storage Services File System Administration Guide for OES. 
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25.1.2 Storage Basics by Platform 


The following sections summarize storage basics for Linux and NetWare. 


Linux and File Systems 


For a high-level overview of the file system on Linux, including the root (/) directory, mount 
points, standard folders, and case sensitivity, see “Understanding Directory Structures in Linux 
Traditional File Systems" in the File Systems Management Guide for OES. 


NetWare Directories 


NetWare uses volumes and directories (or folders) to organize data. NetWare file systems support 
directory paths, fake root directories, Directory Map objects, and drive mappings. 


For more information, see "Understanding NetWare Directory Structures" in the File Systems 
Management Guide for OES. 


NetWare Storage Devices 


NetWare lets you use many different kinds of storage devices, including server disks, single storage 
devices, arrays of storage devices, and virtual storage devices. 


To understand how NetWare connects with and uses storage devices, see “Overview of Server Disks 
and Storage Devices for NetWare" in the OES Server Disks and Storage Devices for NetWare. 


25.1.3 Storage Options 


The following sections summarize OES storage options. 


Direct-Attached Storage Options (NSS and Traditional) 


As shown in Figure 25-1 on page 144, you can install traditional volumes and Novell Storage 
System (NSS) volumes on both OES platforms. These devices can be installed within the server or 
attached directly to the server through an external SCSI bus. 


For more information, see “Direct Attached Storage Solutions” in the Storage and File Services 
Overview for OES. 


Advanced Storage Options (NSS Only) 


NSS Volumes support the following advanced storage solutions, as documented in the Storage and 
File Services Overview for OES. 


* *Network Attached Storage Solutions" 


A dedicated data server or appliance that provides centralized storage access for users and 
application servers through the existing network infrastructure and by using traditional LAN 
protocols such as Ethernet and TCP/IP. When Gigabit Ethernet is used, access speeds are 
similar to direct attached storage device speeds. 


The downside is that data requests and data compete for network bandwidth. 


* "Storage Area Network Solutions" 
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A separate, dedicated data network consisting of servers and storage media that are connected 
through high-speed interconnects, such as 


e “Novell iSCSI” 


You can create a SAN using Novell iSCSI, which uses Novell eDirectory™ to manage 
iSCSI resources, including granting trustee rights and user file access. 


* “Fault Tolerant and High Availability Architectures” 
Use one or more of the following technologies: 


* “Multiple Path I/O”: NSS helps prevent failure in the connection between the CPU and the 
storage device by automatically identifying multiple paths between each NetWare server 
and its storage devices. 


For more information, see “Managing Multiple Connection Paths to Devices (NetWare)" 
in the Novell Storage Services File System Administration Guide for OES. 


"Software RAIDs": NSS supports software RAIDS to improve storage availability and 
performance by enhancing data fault tolerance and I/O performance. 


For more information, see “Managing Software RAID Devices" in the Novell Storage 
Services File System Administration Guide for OES. 


"Server Clusters": You can configure up to 32 NetWare servers into a high-availability 
cluster wherein resources and services are dynamically allocated to any server in the 
cluster and automatically switched to another server if the hosting server fails. 


By manually switching services, IT organizations can maintain and upgrade servers 
during production hours and eliminate scheduled downtime. 


For more information, see the OES Novell Cluster Services 1.8.2 Administration Guide for 
NetWare and the iSCSI 1.1.3 Administration Guide for NetWare 6.5. 


25.1.4 NetWare Core Protocol Support (Novell Client Support) 
on Linux 


Many organizations rely on Novell Client!" software and the NetWare Core Protocol™ (NCP™) for 
highly secure access to file storage services. 


The NCP server for OES Linux lets you attach to Linux using Novell Client software. For more 
information, see Section 35.6, *NCP Implementation and Maintenance," on page 224. 


25.2 Planning OES File Storage 


The following sections can help you plan for storage on your OES network: 


* Section 25.2.1, "Directory Structures," on page 147 
* Section 25.2.2, “File Service Support Considerations," on page 148 
* Section 25.2.3, “General Requirements for Data Storage," on page 148 


* Section 25.24, "NSS Planning Considerations," on page 148 


25.2.1 Directory Structures 


Linux: To plan the directory structures you need on OES Linux, see “Understanding Directory 
Structures in Linux Traditional File Systems" in the File Systems Management Guide for OES. 
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Netware: To plan the directory structures you need on OES NetWare, see “Planning Directory 
Structures for NetWare” in the File Systems Management Guide for OES. 


25.2.2 File Service Support Considerations 


Figure 25-2 shows which file services can access which volume types. 


Figure 25-2 File Services Supported on Volume Types 
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25.2.3 General Requirements for Data Storage 


Finding the right storage solution requires you to identify your data storage requirements. You might 
want to compare your list of requirements against those described in “Storage Solutions" in the 
Storage and File Services Overview for OES. 


25.2.4 NSS Planning Considerations 


Consider the following when planning for NSS: 


Device Size Limit 


NSS recognizes logical or physical devices up to 2 terabytes (TB) in size. If you have a storage disk 
larger than 2 TB, use the storage device's management utility to carve the disk into smaller logical 
devices to use with the NSS file system. 


This is especially important to remember when planning for NSS volumes on Linux because the size 
limit for Linux traditional volumes is 8 terabytes. 


Other NSS Planning Topics 


To plan for NSS volumes—including prerequisites, security considerations, and moving volumes 
between Linux and NetWare—see “Planning for NSS Storage Solutions" in the Novell Storage 
Services File System Administration Guide for OES. 


25.3 Coexistence and Migration of Storage 
Services 


The following sections summarize the coexistence and migration issues related to storage services. 
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25.3.1 NetWare Traditional File System 


You can upgrade both NetWare Traditional volumes and Legacy NSS volumes to OES. 
For more information, see “Upgrading Legacy NSS and NetWare Traditional Volumes” in the 


Novell Storage Services File System Administration Guide for OES. 


25.3.2 NSS 


Supporting NSS volumes in a mixed environment and migrating data between OES platforms 
presents a number of possibilities for your storage solutions. To ensure success, however, you must 
fully understand the proper methods and limitations involved. 


To learn about and deal with coexistence and migration issues pertaining to NSS volumes, see 
“Coexistence and Migration Issues” in the Novell Storage Services File System Administration 
Guide for OES. 


25.4 Initial Setup Is Required for NetWare 


During installation, NetWare creates an NSS system pool (sys) and volume (sys:) on your server’s 
primary hard drive. You must create other NSS pools and volumes before you can use your system 
effectively. For information, see the Novell Storage Services File System Administration Guide for 
OES. 


25.5 Configuring and Maintaining Storage 


This section covers the following topics: 


* Section 25.5.1, "Managing Directories and Files," on page 149 
* Section 25.5.2, "Managing NSS,” on page 149 
* Section 25.5.3, "Optimizing Storage Performance," on page 151 


* Section 25.5.4, "Disk Management on NetWare," on page 151 


25.5.1 Managing Directories and Files 


To learn about managing directories and files for the OES server type, see the following sections in 
the File Systems Management Guide for OES. 


* Linux: "Understanding Directory Structures in Linux Traditional File Systems" 


* NetWare: "Configuring Directories for NetWare and NSS on Linux" 


25.5.2 Managing NSS 


Use the links in Table 25-2 to find information on the many management tasks associated with NSS 
volumes. 
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Table 25-2 NSS Management 


Category/Feature 


Compression 


Description 


Conserve disk space and increase the 
amount of data a volume can store. 


Link 


“Managing Compression on NSS 
Volumes” in the Novell Storage 
Services File System Administration 
Guide for OES. 


Console Commands 


Manage NSS volumes at an OES 
NetWare server console or an OES 
Linux shell. 


“Using NSS Commands and Utilities” 
in the Novell Storage Services File 
System Administration Guide for OES. 


Distributed File 
Services (DFS) 


Use DFS Junctions to transparently 
redirect data requests, split volumes 
while maintaining transparent access, 
and quickly move volume data to 
another volume. 


“Managing Distributed File Services 
(NetWare)” in the Novell Storage 
Services File System Administration 
Guide for OES. 


Encryption 


Create and manage encrypted NSS 
volumes that make data inaccessible to 
software that circumvents normal 
access control. 


"Managing Encrypted NSS Volumes" 
in the Novell Storage Services File 
System Administration Guide for OES. 


EVMS 


Use EVMS, which is required for NSS, 
to manage volumes on Linux, including 
the system (root [/]) volume if NSS is 
installed on the same disk. 


"Using EVMS to Manage Devices with 
NSS Volumes (Linux) in the Novell 
Storage Services File System 
Administration Guide for OES. 


Hard Links 


Create multiple names for a single file in 
the same or multiple directories in an 
NSS volume. 


"Managing Hard Links" in the Novell 
Storage Services File System 
Administration Guide for OES. 


Multipath Support 
(NetWare) 


Manage the dynamic, multiple, 
redundant connection paths NSS 
creates between a NetWare server and 
its external storage devices. 


"Managing Multiple Connection Paths 
to Devices (NetWare)” in the Novell 
Storage Services File System 
Administration Guide for OES. 


Partitions 


Manage partitions on NSS volumes. 


"Managing Partitions" in the Novell 
Storage Services File System 
Administration Guide for OES. 


Pools 


Create and manage NSS pools. 


"Managing NSS Pools" in the Novell 
Storage Services File System 
Administration Guide for OES. 


Tools 


Learn about the various tools available 
to manage NSS volumes, the tool 
capabilities, and how to use them. 


"Management Tools for NSS" in the 
Novell Storage Services File System 
Administration Guide for OES. 


Troubleshooting 


Troubleshoot NSS on OES Linux and 
OES Netware. 
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"Troubleshooting the NSS File 
System" in the Novell Storage 
Services File System Administration 
Guide for OES. 


Category/Feature Description Link 


Volumes Create and manage NSS volumes in “Managing NSS Volumes” in the 
NSS pools. Novell Storage Services File System 
Administration Guide for OES. 


Monitor NSS file systems. “Monitoring the NSS File System 
Status” in the Novell Storage Services 
File System Administration Guide for 
OES. 


25.5.3 Optimizing Storage Performance 


e NSS on Linux: “Configuring the System Cache to Fine-Tune NSS Performance (Linux)" in 
the Novell Storage Services File System Administration Guide for OES 


* NSS on NetWare: “Configuring the System Cache to Fine-Tune NSS Performance 
(NetWare)” in the Novell Storage Services File System Administration Guide for OES 


25.5.4 Disk Management on NetWare 
Disk management is obviously central to providing storage services. To plan how you will add, 


allocate, maintain, and remove disks accessed by OES NetWare servers, see OES Server Disks and 
Storage Devices for NetWare. 
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IPX and TCP/IP 26 


See the related topics on the “Network Protocols” page in the OES online documentation. 
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iSCSI 


See the topics in “iSCSI” in the OES online documentation. 
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Licensing 


This section explains the following: 


* Section 28.1, “The OES Licensing Model," on page 157 
* Section 28.2, "Licensing Services on OES NetWare,” on page 157 
* Section 28.3, “OES Linux Doesn't Support NLS,” on page 157 


* Section 28.4, “Configuring and Administering Licensing Services," on page 158 


28.1 The OES Licensing Model 


The only licensing restriction is the number of user connections allowed to use OES services on 
your network. You are authorized to install as many OES servers as you need to provide OES 
services to those users. 


For example, if your OES license is for 100 user connections, you can install as many OES NetWare 
and/or OES Linux servers as desired. Up to 100 users can then connect to and use the services 
provided by those OES servers. 


When you install OES on either platform, you must accept an end user license agreement (EULA). 
Your rights to use the OES product are limited to the rights set forth in the EULA. Violators of 
Novell's license agreements and intellectual property are prosecuted to the fullest extent of the law. 


To report piracy and infringement violations, please call 1-800-PIRATES (800-747-2837) or send e- 
mail to pirates@novell.com (pirates@novell.com). 


For more information on OES licensing, see the OES Licensing page on the Novell Web site (http:// 
www.novell.com/licensing/oes_licensing.html). 


28.2 Licensing Services on OES NetWare 


When you install or upgrade NetWare, the server installation software automatically installs the 
Novell® Licensing Services (NLS) software. During the installation of the first NetWare server in a 
tree, you are prompted for a license/key file pair (*.n1f and *.nfk). 


After installing OES, you can use Novell iManager to install and manage license certificates in your 
eDirectory™ tree and monitor NetWare usage. You can also monitor usage of Novell Licensing 
Services-enabled products. 


For information, see “How Novell Licensing Services Works” in the OES Licensing Services 
Administration Guide for NetWare. 


28.3 OES Linux Doesn't Support NLS 


Novell Licensing Services (NLS)are not available on OES Linux, nor does an OES Linux 
installation require a license/key file pair (*.n1f and *.nfk). 
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28.4 Configuring and Administering Licensing 
Services 


See the related topics in “Auditing and Licensing” in the OES online documentation. 
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Search 


See the topics in “Search Engine (QuickFinder)"in the OES online documentation. 
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Security 


This section contains the following topics: 


* Section 30.1, “Overview of OES Security Services,” on page 161 


Section 30.2, “Planning for Security," on page 163 


Section 30.3, “Security Coexistence and Migration," on page 163 


Section 30.4, “Configuring and Administering Security,” on page 163 


Section 30.5, “Comparing the Linux and the NetWare Core Protocol (NCP) File Security 
Models,” on page 164 


Section 30.6, “Advanced Certificate Information for OES Linux,” on page 166 


Section 30.7, “Links to Product Security Considerations Sections,” on page 167 


30.1 Overview of OES Security Services 


This section provides specific overview information for the following key OES components: 


* Section 30.1.1, “Encryption (NICI)," on page 161 
* Section 30.1.2, “Novell Certificate Server,” on page 162 


* Section 30.1.3, “User Restriction Limitations," on page 163 


For more authentication and security topics, see the OES online documentation. 


30.1.1 Encryption (NICI) 


The Novell® International Cryptography Infrastructure (NICI) is the Novell solution to a cross- 
platform, policy-driven, independently certified, and extensible cryptography service. NICI is the 
cryptography module that provides keys, algorithms, various key storage and usage mechanisms, 
and a large-scale key management system. 


NICI controls the introduction of algorithms and the generation and use of keys. It allows 
production of a single commodity version of security products that support strong cryptography and 
multiple cryptographic technologies for worldwide consumption. Initial services built on this 
infrastructure are Directory Services (Novell eDirectory™), Novell Modular Authentication 
Services (NMAS™), Novell Certificate Server™, Novell SecretStore®, and TLS/SSL. 


Key Features 

NICI includes the following key features: 
* Supports industry standards: Is implemented following recognized industry standards. 
* Certified: Is FIPS-140-1 certified on selected platforms. 


* Cross-platform support: Is available on both OES platforms. 


* Complies with governmental export and import regulations: Has cryptographic interfaces that 
are exportable from the U.S. and importable into other countries with government-imposed 
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constraints on the export, import, and use of products that contain embedded cryptographic 
mechanisms. 


* Secure and tamper-resistant architecture: The architecture uses digital signatures to implement 
a self-verification process so that consuming services are assured that NICI has not been 
modified or tampered with when it is initialized. 


More Information 
For more information on how to use NICI, see the NICI 2.6x Administration Guide (http:// 


www.novell.com/documentation/lg/nici20). 


30.1.2 Novell Certificate Server 


Novell Certificate Server provides public key cryptography services that are natively integrated into 
Novell eDirectory. 


These services let you mint, issue, and manage both user and server certificates to protect 
confidential data transmissions over public communications channels such as the Internet. 


Novell Certificate Server lets you 


Provide public key cryptography services for your network. 


You can choose to 


* Create an Organizational Certificate Authority (CA) in eDirectory and issue as many user 
and server certificates as needed. 


* Use the services of an external certificate authority. 


* Use a combination of both as your needs dictate. 


Avoid the costs associated with obtaining and managing public key certificates by creating an 
Organizational CA to issue public key certificates. 


Make public key certificates openly available while protecting them against tampering and 
leveraging eDirectory replication and access control features. 


Expose private keys to only the software routines that use them for signing and decrypting 
operations. 


Securely back up NICI-encrypted private keys using standard eDirectory backup utilities. 


Centrally administer certificates using ConsoleOne®. The Novell iManager plug-in also lets 
you do some administration tasks. 


Let users export their own certificates using ConsoleOne for use in cryptography-enabled 
applications. 


Create and manage user certificates for 
. GroupWise® 5.5 and later. 
* Microsoft Outlook 98 and Outlook 2000. 
* Netscape* Messenger* and other popular e-mail clients. 
* Netscape Navigator*. 


* Microsoft Internet Explorer. 
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For more information on how to use Novell Certificate Server, see the Novell Certificate Server 2.7 
Administration Guide (http://www.novell.com/documentation/lg/crt27). 


30.1.3 User Restriction Limitations 


Seasoned NetWare® administrators are accustomed to being able to set the following various access 
restrictions on users: 


Account balance restrictions 


Address restrictions 


Intruder lockout 


Login restrictions 


Password restrictions 


Time restrictions 


Many of the management interfaces that set these restrictions (iManager, for example), might seem 
to imply that these restrictions apply to users who are accessing an OES server using any protocol. 


This is generally true, with two important exceptions: 


* Maximum number of concurrent connections in login restrictions 


* Address restrictions 


These two specific restrictions are enforced only for users that are accessing the server using NCP™. 
Connections through other access protocols (for example, HTTP or CIFS) have no concurrent 
connection or address restrictions imposed. 


For this reason, you will probably want to consider not enabling services such as ssh and ftp for 
PAM access when setting up Linux User Management. 


For more information on Linux User Management, see “Linux Access for eDirectory Users (LUM)” 
on page 117. For more information on the services that can be PAM-enabled, see Table 18-1 on 
page 120. 


30.2 Planning for Security 


For planning topics, see the Security section in the OES online documentation. 


30.3 Security Coexistence and Migration 


For authentication- and security-related coexistence and migration information, see “Security and 
Certificate Management” in the OES Coexistence and Migration Guide. 


30.4 Configuring and Administering Security 


For a list of configuration and administration topics, see the Security section in the OES online 
documentation. 
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30.5 Comparing the Linux and the NetWare Core 
Protocol (NCP) File Security Models 


The NetWare (NSS/NCP) and Linux (POSIX) security models are quite different, as presented in 


Table 30-1. 


Table 30-1 POSIX Vs. NSS/NCP File Security Models 


Feature POSIX / Linux 


Administrative principles Permissions are controlled and 
managed for each file and 
subdirectory individually. 


Because of the nature of the 
POSIX security model, users 
usually have read rights to most 
of the system. 


To make directories and files 
private, permissions must be 
removed. 


For more information on creating 
private directories, see “Making 
Home Directories Private ” in the 
Novell Linux User Management 
Technology Guide. 


For more information on making 
existing directories private, see 
Section 35.4.2, “Providing a 
Private Work Directory,” on 
page 222. 


NSS/NCP on OES Linux 


Trustee assignments are made to 
directories and files and flow 
down from directories to 
everything below unless 
specifically reassigned. 


Default accessibility Users have permissions to see 
most of the file system. 


The contents of a few directories, 
such as the /root home 
directory, can only be viewed by 
the root user. 


Some system configuration files 
can be read by everyone, but the 
most critical files, such as /etc/ 
fstab, can only be read and 
modified by root. 
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Users can see only the 
directories and files for which 
they are trustees (or members of 
a group that is a trustee). 


Feature 


Home directories—an example of 
default accessibility 


POSIX / Linux 


By default, all users can see the 
names of directories and files in 
home directories. 


To make directories and files 
private, permissions must be 
removed 


For more information on creating 
private home directories, see 
“Making Home Directories Private 
” in the Novell Linux User 
Management Technology Guide. 


For more information on making 
existing home directories private, 
see Section 35.4.2, "Providing a 
Private Work Directory," on 

page 222. 


NSS/NCP on OES Linux 


By default, only the system 
administrator and the home 
directory owner can see a home 
directory. Files in the directory are 
secure. 


If users want to share files with 
others, they can grant trustee 
assignments to the individual 
files, or they can create a shared 
subdirectory and assign trustees 
to it. 


Inheritance from parents 


Nothing is inherited. 


Granting permission to a directory 
or file affects only the directory or 
file. 


Rights are inherited in all child 
subdirectories and files unless 
specifically reassigned. 


A trustee assignment can 
potentially give a user rights to a 
large number of subdirectories 
and files. 


Privacy 


Because users have permissions 
to see most of the file system for 
reasons stated above, most 
directories and files are only 
private when you make them 
private. 


Directories and files are private 
by default. 


Subdirectory and file visibility 


Permissions granted to a file or 
directory apply to only the file or 
directory. Users can't see parent 
directories along the path up to 
the root unless permissions are 
granted (by setting the UID, GID, 
and mode bits) for each parent. 


After permissions are granted, 
users can see the entire contents 
(subdirectories and files) of each 
directory in the path. 


When users are given a trustee 
assignment to a file or directory, 
they can automatically see each 
parent directory along the path up 
to the root. However, users can't 
see the contents of those 
directories, just the path to where 
they have rights. 


When an NCP volume is created on a traditional Linux or NSS volume, some of the behavior 
described above is modified. For more information, see the NCP Server for Linux Administration 
Guide, particularly the *NCP on Linux Security" section. 
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30.6 Advanced Certificate Information for OES 


Linux 


Table 30-2 contains information about the authentication certificates used by each of the OES Linux 


components. 


Table 30-2 Certificate Information for OES Linux Products and Services 


Product/Service 


Apache 


Certificate Information 


The Apache Web server that is installed with OES is not configured as 
an LDAP client by default. The /etc/opt/novell/httpd/conf/ 
httpd.conf file contains an LDAP section toward the end that has 
been commented out. This can be modified to turn on LDAP 
authentication and configure the settings. The file can point to either a 
.b64 or .der certificate for server authentication. 


To enable HTTPS connectivity, the OES install creates a default 
certificate using OpenSSL and adds it to the JVM* (keytool) for 
Tomcat to use. 


eGuide 


eGuide uses the same basic mechanisms as iManager, except that it 
doesn't retrieve a certificate from the server if a certificate isn't found 
in the keystore. 


iManager 2.5 and Virtual Office 


Virtual Office requires that iManager is installed and configured. Both 
products use LDAP over SSL, meaning that all communications with 
the LDAP server are encrypted. 


However, if server authentication is not configured, iManager retrieves 
a certificate from the server and then uses that certificate for 
encryption. 


If server authentication is configured, the administrator can add the 
server's exported certificate to the JVM CACerts keystore using the 
Java* keytool tool. 


iPrint 


iPrint is not configured by default to require user authentication. This 
can be changed using iManager. For more information, see "Setting 

Up a Secure Printing Environment" in the OES iPrint Administration 

Guide for Linux. 


Linux User Management (LUM) 


LUM looks for certificates in /var/nam. The certificates are named 
IP.cer or DNS.der, where /P and DNS represent the IP address and 
DNS name of the server, respectively. 


LUM automatically retrieves a certificate if one is not supplied. 


You can edit the /etc/nam. conf file to change the name of the 
certificate file or the location to another directory on the file system. 
LUM uses .der files. 


Novell iFolder® 2.1x 


Novell iFolder can use either no SSL or SSL with server 
authentication. For more information, see the Novell iFolder 2.1 
Installation and Administration Guide. 
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30.7 Links to Product Security Considerations 


Sections 


The following product documentation contains additional security information: 


Table 30-3 Security Consideration Links 


Product/Technology 


Archive and Version Services 


Security Considerations Section Link 


“Security Considerations for Archive and Version 
Services” in the Novell Archive and Version 
Services 2.0 for NetWare Administration Guide for 


OES 

eDirectory “Setting Up a Security Container As a Separate 
Partition” in the Novell eDirectory 8.7.3 
Administration Guide 

File Systems File Systems Management Guide for OES 


(information throughout the guide) 


Health Monitoring Services 


“Security Considerations” in the Health Monitoring 
Services Administration Guide for OES 


Identity Manager 3.0.1 


“Security: Best Practices” in the Novell Identity 
Manager 3.0.1 Administration Guide 


iFolder 3.x 


Novell iFolder 3.x Security Administrator Guide 


iPrint for OES Linux 


“Setting Up a Secure Printing Environment” in the 
OES iPrint Administration Guide for Linux 


iPrint for OES NetWare 


“Setting Up a Secure Printing Environment” in the 
OES iPrint Administration Guide for NetWare 


iSCSI for OES NetWare 


Enabling and Configuring iSCSI Initiator Security in 
the iSCSI 1.1.3 Administration Guide for NetWare 
6.5 


Linux User Management 


“nambulkadd Security Considerations” in the Novell 
Linux User Management Technology Guide 


Native File Access Protocols 


“Enabling and Disabling SMB Signing" in the OES 
Native File Access Protocols Guide. 


Novell Client for Linux 


“Managing File Security” in the Novell Client for 
Linux 1.2 Administration Guide 


Novell Client for Windows 


“Managing File Security and Passwords’ in the 
Novell Client for Windows Installation and 
Administration Guide 


Novell Remote Manager for OES Linux 


“Security Considerations” in the Novell Remote 
Manager Administration Guide for Linux for OES 


Novell Remote Manager for OES NetWare 


“Security Considerations” in the Novell Remote 
Manager for NetWare Administration Guide for 
OES 
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Product/Technology 


Novell Storage Services 


Security Considerations Section Link 


“Securing Access to NSS Volumes, Directories, 
and Files” and “Security Considerations” in the 
Novell Storage Services File System Administration 
Guide for OES 


OES Linux Installation 


“Security Considerations” in the OES Linux 
Installation Guide 


OpenWBEM “Ensuring Secure Access" in the OpenWBEM 
Services Administration Guide for OES 
QuickFinder “Security Considerations” in the QuickFinder 


Server 4.0 Administration Guide 


Server Consolidation and Migration Toolkit 
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“Security Considerations” in the Novell Server 
Consolidation and Migration Toolkit Administration 
Guide 


Time Synchronization 


The information in this section can help you understand and set up time synchronization on your 
OES servers: 


* Section 31.1, “Overview of Time Synchronization,” on page 169 

* Section 31.2, “Planning for Time Synchronization," on page 173 

* Section 31.3, “Coexistence and Migration of Time Synchronization Services,” on page 176 
* Section 31.4, “Implementing Time Synchronization,” on page 179 


* Section 31.5, “Configuring and Administering Time Synchronization," on page 180 


31.1 Overview of Time Synchronization 


All servers in an eDirectory™ tree must have their times synchronized to ensure that updates and 
changes to eDirectory objects occur in the proper order. 


eDirectory gets its time from the server operating system (N etWare® or Linux) of the OES server 


where it is installed. It is, therefore, critical that every server in the tree has the same time. 


31.1.1 Understanding Time Synchronization Modules 


Because your OES eDirectory tree might contain servers running OES Linux, OES NetWare, or 
previous versions of NetWare, you must understand the differences in the time synchronization 
modules that each operating system uses and how these modules can interact with each other. 


OES Linux vs. OES NetWare 


As illustrated in Figure 31-1, OES NetWare (and NetWare 6.5) can use either the Network Time 
Protocol (NTP) or Timesync modules for time synchronization. Both modules can communicate 
with OES Linux using NTP. 


OES Linux must use the NTP daemon (xntpd). 


Figure 31-1 Time Synchronization for Linux and NetWare 
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OES Servers Communicate Using the Network Time Protocol (NTP) 


Because OES Linux and NetWare servers must communicate with each other for time 
synchronization, and because Linux uses only NTP for time synchronization, it follows that both 
Linux and NetWare must communicate time synchronization information using NTP time packets. 
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However, this doesn’t limit your options on NetWare. 


Figure 31-2 illustrates that OES Linux and NetWare servers can freely interchange time 
synchronization information because OES NetWare includes 


* A TIMESYNC NLM™ that both consumes and provides NTP time packets in addition to 
Timesync packets. 


* An XNTPD NLM that can provide Timesync packets in addition to offering standard NTP 
functionality. 


NOTE: Although NetWare includes two time synchronization modules, only one can be loaded at a 
time. 


Figure 31-2 NTP Packet Compatibilities with All OES Time Synchronization Modules 
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Compatibility with Earlier Versions of NetWare 


OES NetWare 
and 
NetWare 6.5 


Earlier versions of NetWare (version 4.2 through version 6.0) do not include an NTP time module. 
Their time synchronization options are, therefore, more limited. 


NetWare 5.1 and 6.0 Servers 


Figure 31-3 illustrates that, although NetWare 5.1 and 6.0 do not include an NTP time module, they 
can consume and deliver NTP time packets. 


Figure 31-3 NTP Compatibility of NetWare 5.1 and 6.0 
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NetWare 5.0 and 4.2 Servers 


Figure 31-4 illustrates that NetWare 4.2 and 5.0 servers can only consume and provide Timesync 
packets. 


Figure 31-4 Synchronizing Time on NetWare 5.0 and 4.2 Servers 
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Therefore, if you have NetWare 4.2 or 5.0 servers in your eDirectory tree, and you want to install an 
OES Linux server, you must have at least one NetWare 5.1 or later server to provide a "bridge" 
between NTP and Timesync time packets. Figure 31-5 on page 172 illustrates that these earlier 
server versions can synchronize through an OES NetWare server. 


IMPORTANT: As shown in Figure 31-4, We recommend that NetWare 4.2 servers not be used as a 
time source. 
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31.1.2 OES Servers as Time Providers 


Figure 31-5 on page 172 shows how OES servers can function as time providers to other OES 


servers and to NetWare servers, including NetWare 4.2 and later. 


Figure 31-5 OES Servers as Time Providers 
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31.1.3 OES Servers as Time Consumers 


Figure 31-6 on page 173 shows the time sources that OES servers can use for synchronizing server 
time. 


IMPORTANT: Notice that NetWare 4.2 is not shown as a valid time source. 
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Figure 31-6 OES Servers as Time Consumers 
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31.2 Planning for Time Synchronization 


Use the information in this section to understand the basics of time synchronization planning. For 
more detailed planning information, refer to the following resources: 


* *How Timesync Works" in the Network Time Management for NetWare Administration Guide 
for OES 


* *Network Time Protocol" in the Novell Network Time Protocol Administration Guide for OES 
* Linux NTP information on the Web (http://www.eecis.udel.edu/~mills/ntp/html/index.html) 


31.2.1 NetWork Size Determines the Level of Planning 
Required 


The level of time synchronization planning required for your network is largely dictated by how 
many servers you have and where they are located, as explained in the following sections. 
Time Synchronization for Trees with Fewer Than Thirty Servers 


If your tree will have fewer than thirty servers, the default installation settings for time 
synchronization should be sufficient for all of the servers except the first server installed in the tree. 


You should configure the first server in the tree to obtain time from one or more time sources that are 
external to the tree. (See Step 1 in Section 31.2.3, "Planning a Time Synchronization Hierarchy 
before Installing OES," on page 175.) 


All other servers (both Linux and NetWare) automatically point to the first server in the tree for their 
time synchronization needs. 
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Time Synchronization for Trees with More Than Thirty Servers 


If your tree will have more than thirty servers, you need to plan and configure your servers with time 
synchronization roles that match your network architecture and time synchronization strategy. 
Example roles might include the following: 


* Servers that receive time from external time sources and send packets to other servers further 
down in the hierarchy 
* Servers that communicate with other servers in peer-to-peer relationships to ensure they are in 


sync 


Basic planning steps are summarized in Section 31.2.3, “Planning a Time Synchronization 
Hierarchy before Installing OES," on page 175. 


Refer to the following sources for additional help in planning time server roles: 


* "Configuring Timesync on Servers" in the Network Time Management for NetWare 
Administration Guide for OES 


* "Modes of Time Synchronization" in the Novell Network Time Protocol Administration Guide 
for OES 


* Linux NTP information on the Web (http://www.eecis.udel.edu/-mills/ntp/html/notes.html) 


Time Synchronization across Geographical Boundaries 


If the servers in the tree will reside at multiple geographic sites, you need to plan how to synchronize 
time for the entire network while minimizing network traffic. For more information, see “Wide Area 
Configuration" in the Novell Network Time Protocol Administration Guide for OES. 


31.2.2 Choosing between Timesync and NTP (NetWare Only) 


When you install an OES NetWare server, you can choose between Timesync and NTP for time 
synchronization. 


If you select the Timesync option, you can fully configure each server as you install it to match your 
time synchronization plan. 


If you choose the XNTPD option, you can designate up to three NTP time sources, but fine tuning 
your NTP hierarchy will require some manual configuration after the installation is complete. For 
help, consult the Novell Network Time Protocol Administration Guide for OES. 


About Timesync 


Timesync is the Novell legacy time synchronization protocol first delivered with NetWare 4. Over 
the years it has evolved and is now capable of both consuming and delivering NTP packets and 
Timesync packets. 


Timesync is installed and configured by default to ensure the smooth integration of earlier versions 
of NetWare. However, many system administrators are migrating away from Timesync and 
implementing NTP. 
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About NTP 
NTP is the emerging choice for many network administrators because 
* They feel it is easier to manage a single time synchronization protocol. 
For example, the same basic configuration file (nt. conf) can be used on both Linux and 
NetWare. 


* NTP is a cross-platform industry standard available on multiple platforms. 


* The XNTPD NLM that runs on OES NetWare provides Timesync packets for NetWare servers 
that can't consume NTP (NetWare 5.0 and 4.2), enabling them to coexist on an NTP time 
network. 


Where to Specify in the NetWare Install 


The dialog box that lets you choose between Timesync and NTP is available as an advanced option 
in the Time Zone panel during the NetWare installation. Choosing between Timesync and NTP is 
documented in "Setting the Server Time Zone and Time Synchronization Method" in the OES 
NetWare Installation Guide. 


31.2.3 Planning a Time Synchronization Hierarchy before 
Installing OES 


The obvious goal for time synchronization is that all the network servers (and workstations, if 
desired) have the same time. This is best accomplished by planning a time synchronization hierarchy 
before installing the first OES server, then configuring each server at install time so that you form a 
hierarchy similar to the one outlined in Figure 31-7. 


Figure 31-7 A Basic Time Synchronization Hierarchy 
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As you plan your hierarchy, do the following: 


1 Identify at least two authoritative, external NTP time sources for the top positions in your 
hierarchy. 
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1a If your network already has an NTP server hierarchy in place, identify the IP address of an 
appropriate time server. This might be internal to your network, but it should be external 
to the eDirectory tree and it should ultimately obtain time from a public NTP server. 


1b If your network doesn't currently employ time synchronization, refer to the list of public 
NTP servers published on the ntp.org Web site (http://ntp.isc.org/bin/view/Servers/ 
WebHome) and identify a time server you can use. 


2 Plan which servers will receive time from the external sources and plan to install these servers 
first. 


3 Map out the position for each Linux server in your tree, including its time sources and the 
servers it will provide time for. 


4 Map out the position for each NetWare server in your tree. 
4a Include the server's time sources and the servers it will provide time for. 


4b Decide whether to use Timesync or NTP for your servers. (See Section 31.2.2, “Choosing 
between Timesync and NTP (NetWare Only)," on page 174.) 


4c If your network currently has only NetWare 4.2 or 5.0 servers, be sure to plan for their 
time synchronization needs by including at least one newer NetWare server in the tree and 
configuring the older servers to use the newer server as their time source. (See ^NetWare 
5.0 and 4.2 Servers" on page 171.) 


5 Be sure that each server in the hierarchy is configured to receive time from at least two sources. 


6 (Conditional) If your network spans geographic locations, plan the connections for time-related 
traffic on the network and especially across WANs. 


For more information, see “Wide Area Configuration" in the Novell Network Time Protocol 
Administration Guide for OES. 


For more planning information, see the following documentation: 


* Network Time Management for NetWare Administration Guide for OES 
* Novell Network Time Protocol Administration Guide for OES 


* Linux NTP information found on the OES Linux server in /usr/share/doc/packages/xntp and on 
the Web (http://www.eecis.udel.edu/~mills/ntp/html/index.html) 


31.3 Coexistence and Migration of Time 
Synchronization Services 


The time synchronization modules in Novell Open Enterprise Server (OES) have been designed to 
ensure that new OES servers, running on either NetWare or Linux, can be introduced into an 
existing network environment without disrupting any of the products and services that are in place. 


Both the Linux and NetWare installs automate the time synchronization process where possible, as 
explained in Section 31.4, “Implementing Time Synchronization,” on page 179. 


This section discusses the issues involved in the coexistence and migration of time synchronization 
in OES in the following sections: 


* Section 31.3.1, “Coexistence,” on page 177 


* Section 31.3.2, “Migration,” on page 178 
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For a general discussion of coexistence and migration issues in OES, see the OES Coexistence and 


Migration Guide. 


31.3.1 Coexistence 


This section provides information regarding the coexistence of the OES time synchronization 
modules with existing NetWare or Linux networks, and with previous versions of the Timesync 
NLM. This information can help you confidently install new OES servers into your current network. 


Compatibility 


The following table summarizes the compatibility of OES time synchronization modules with other 
time synchronization modules and eDirectory. These compatibilities are illustrated in Figure 31-5 on 
page 172 and Figure 31-6 on page 173. 


Module 


Timesync NLM (NetWare) 


Compatibility 
Can consume time from 


* All previous versions of Timesync. However, the NetWare 
4.2 Timesync NLM should not be used as a time source. 


* Any Timesync or NTP daemon. 
Can provide time to 


* All previous versions of Timesync. 


* Any Timesync or NTP daemon. 


XNTPD NLM (NetWare) 


Can consume time from 
* Any NTP daemon. 
Can provide time to 


* All previous versions of Timesync. 


* Any NTP daemon. 


xntpd daemon (SLES 9) 


Can consume time from 
* Any NTP daemon. 
Can provide time to 


* Any NTP daemon. 


eDirectory 


Coexistence Issues 


eDirectory gets its time synchronization information from the host 
OS (Linux or NetWare), not from the time synchronization 
modules. 


If you have NetWare servers earlier than version 5.1, you need to install at least one later version 
NetWare server to bridge between the Timesync NLM on the earlier server and any OES Linux 
servers you have on your network. This is because the earlier versions of Timesync can’t consume 
or provide NTP time packets and the xntpd daemon on Linux can’t provide or consume Timesync 


packets. 
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Fortunately, the Timesync NLM in NetWare 5.1 and later can both consume and provide Timesync 
packets. And the XNTPD NLM can provide Timesync packets when required. 


This is explained in “Compatibility with Earlier Versions of NetWare” on page 170. 


31.3.2 Migration 


The following sections explain time synchronization issues associated with migration. 


Migration Path 


Your migration path depends on the platform you are migrating data to. 


NetWare to NetWare 


Time synchronization configuration settings are all migrated by the NetWare Migration Wizard 
(both Timesync and XNTPD modules) because all associated modules and configuration files reside 
on sys:system. 


NetWare to Linux 


There is no direct server migration from NetWare to Linux. However, if XNTPD is used for time 
synchronization on NetWare, the contents of the sys: system\ntp.conf file works unchanged 
on a Linux server as /etc/ntp.conf, if the configuration is valid on the network where the 
Linux server resides. 


Migration Tools 


Use the following tools for migrating services. 


NetWare Migration Wizard 


All time synchronization files are migrated with the sys: system directory and work unchanged 
on the new server. See the Server Migrations in the Novell Server Consolidation and Migration 
Toolkit Administration Guide for more information. 


iManager Migrate Plug-in 


If you decide you want to use only NTP as your time synchronization protocol, you can use the 
iManager > Time Synchronization > Migration plug-in to migrate NetWare 6.5 and OES NetWare 
servers from Timesync to NTP. 


For more information, see “Migrating TimeSync Servers to NTP” in the Novell Network Time 
Protocol Administration Guide for OES. 


Earlier versions of NetWare cannot be migrated using the plug-in. However, settings are migrated 
with the OS via the NetWare Migration Wizard. 


Recommended Procedure 


Follow the instructions for the migration module you are using. 
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Migration Issues 


None. 


31.4 Implementing Time Synchronization 


As you plan to implement your time synchronization hierarchy, you should know how the OES 
NetWare and OES Linux product installations configure time synchronization on the network. Both 
installs key off whether you are creating a new tree or installing into an existing tree. 


31.4.1 New Tree 


By default, both the OES Linux and the OES NetWare installs configure the first server in the tree to 
use its internal (BIOS) clock as the authoritative time source for the tree. 


Because BIOS clocks can fail over time, you should always specify an external, reliable NTP time 
source for the first server in a tree. For help finding a reliable NTP time source, see the NTP Server 
Lists (http://ntp.isc.org/bin/view/Servers/WebHome) on the Web. 


OES Linux 


When you configure your eDirectory installation, the OES Linux install prompts you for the IP 
address or DNS name of an NTP v3-compatible time server. 


If you are installing the first server in a new eDirectory tree, you have two choices: 


* You can enter the IP address or DNS name of an authoritative NTP time source 
(recommended). 


* You can leave the field displaying Local Time, and the server is configured to use its BIOS 
clock as the authoritative time source. 


IMPORTANT: We do not recommend this second option because BIOS clocks can fail over 
time, causing serious problems for eDirectory. 


OES NetWare 


By default, the NetWare install automatically configures the Timesync NLM to use the server’s 
BIOS clock. As indicated earlier, this default behavior is not recommended for production networks. 
You should, therefore, manually configure time synchronization (either Timesync or NTP) while 
installing each NetWare server. 


Manual time synchronization configuration is accessed at install time from the Time Zone dialog 
box by clicking the Advanced button as briefly outlined in Section 31.2.2, “Choosing between 
Timesync and NTP (NetWare Only)," on page 174 and as fully explained in “Setting the Server 
Time Zone and Time Synchronization Method" in the OES NetWare Installation Guide. 


31.4.2 Existing Tree 


When a server joins an existing eDirectory tree, both OES installations do approximately the same 
thing. 
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OES Linux 


If you are installing into an existing tree, the OES Linux install proposes to use the IP address of the 
eDirectory server (either NetWare or Linux) as the NTP time source. This default should be 
sufficient unless one of the following is true: 


* The server referenced is a NetWare 5.0 or earlier server, in which case you need to identify and 
specify the address of another server in the tree that 1s running either a later version of NetWare 
or OES Linux. 


* You will have more than 30 servers in your tree, in which case you need to configure the server 
to fit in your planned time synchronization hierarchy. For more information, see Section 31.2.3, 
"Planning a Time Synchronization Hierarchy before Installing OES," on page 175. 


The OES Linux install activates the xntp daemon and configures it to synchronize server time with 
the specified NTP time source. After the install completes, you can configure the daemon to work 
with additional time sources to ensure fault tolerance. For more information, see Section 31.5.1, 
"Changing Time Synchronization Settings on a SLES 9 Server," on page 180. 


OES NetWare 


If you are installing into an existing tree, the OES NetWare install first checks to see whether you 
manually configured either NTP or Timesync time synchronization sources while setting the server 
Time Zone (see “Setting the Server Time Zone and Time Synchronization Method" in the OES 
NetWare Installation Guide). 


If you will have more than 30 servers in your tree, you should have developed a time 
synchronization plan (see Section 31.2.3, “Planning a Time Synchronization Hierarchy before 
Installing OES," on page 175) and configured your server according to the plan in the Time Zone 
panel. 


If you haven't manually configured time synchronization sources for the server (for example, if your 
tree has fewer than 30 servers), the install automatically configures the Timesync NLM to point to 
the IP address of the server with a master replica of the tree's [ROOT] partition. 


31.5 Configuring and Administering Time 
Synchronization 


As your network changes, you will probably need to adjust the time synchronization settings on 
your servers. 


31.5.1 Changing Time Synchronization Settings on a SLES 9 
Server 


This method works both in the GUI and at the shell prompt and is the most reliable method for 
ensuring a successful NTP implementation. 


1 Launch YaST on your SLES 9 server by either navigating to the application on the desktop or 
typing yast at the shell prompt. 

2 Click (or select using the tab and arrow keys) Network Services > NTP Client. 

3 Inthe NTP Client Configuration dialog box, click Complex Configuration. 

4 Modify the NTP time settings as your needs require. 
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31.5.2 Changing Time Synchronization Settings on a NetWare 
Server 


Time synchronization settings and their modification possibilities are documented in the following 
administration guides: 


* Timesync: Network Time Management for NetWare Administration Guide for OES 
* NTP: Novell Network Time Protocol Administration Guide for OES 
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Web and Application Services 


See the topics in “Web Services” in the OES online documentation. 
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End User Services 


Novell® Open Enterprise Server (OES) user services are explained in the following sections: 


* Chapter 33, “Access,” on page 187 

* Chapter 34, “Collaboration (Virtual Office)," on page 201 
* Chapter 35, “File Services,” on page 205 

* Chapter 36, "Print Services," on page 233 

* Chapter 37, “White Pages (eGuide)," on page 239 


Using the Information in This Section 


The information in this section is designed to help you with the following tasks: 


* Understanding the network service access options that OES provides. 
* Understanding each OES end user service and its potential to help your organization. 
* Making preinstall planning decisions. 
* Implementing the services after they are installed. 
After you understand OES user services, you can 
1. Plan your eDirectory™ tree, as explained in Section 15.2, “Planning Your eDirectory Tree,” on 
page 107. 
2. Install OES services using the instructions in the following guides: 
* For Linux: OES Linux Installation Guide 
* For NetWare: OES NetWare Installation Guide 


3. Create eDirectory users and other objects to provide service access for your network users, as 
summarized in Section 15.4, “Creating Users and Groups,” on page 109. 


4. Review the implementation and maintenance sections for each service, beginning with Section 
33.4, “Access Implementation Suggestions," on page 197. 


Each of these sections provides a summary of the tasks associated with each service and links to 
detailed service documentation. 
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Access 


Access is the key to 
* Providing services for users. 


* Ensuring that the network is secure. 


OES supports a number of access options through which your users can access network services, 
including 

* Web browsers. 

* Native interfaces on Linux, Macintosh*, and Windows workstations. 

* Novell Client!" software supported for both OES Linux and OES Net Ware? servers. 


* Personal digital assistants (PDAs) and other electronic devices that are enabled for Web access. 
Of course, you control which of these interfaces can be used to access network services. 


This section is designed to help you understand OES access options so that you can plan and 
implement those that are best suited for your network by reviewing the following topics: 


* Section 33.1, "Overview of Access Services," on page 187 

* Section 33.2, “Planning for Service Access,” on page 193 

* Section 33.3, “Coexistence and Migration of Access Services,” on page 196 
* Section 33.4, "Access Implementation Suggestions," on page 197 


* Section 33.5, "Configuring and Administering Access to Services," on page 197 


33.1 Overview of Access Services 


The following sections present overviews of OES access services. 
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33.1.1 Access to Services 


Figure 33-1 illustrates the variety of user interfaces supported by OES services. Novell® 
eDirectory™ provides authentication to each service. 


Figure 33-1 Access Interfaces and the Services They Access 
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The interfaces available for each service are largely determined by the protocols supported by the 
service. 


* Browsers and personal digital assistants require support for the HTTP protocol. 


* Each workstation type shown in the graphic has a native protocol associated with it. Linux uses 
NFS as its native protocol for file services access, Macintosh workstations communicate using 
AFP, and Windows workstations use the CIFS protocol by default for file services. 


* Novell Client software uses NetWare Core Protocol™ (NCP™) software to provide the 
benchmark-setting file services for which Novell is so well known. 


Understanding the protocol support for OES services can help you begin to plan your OES 
implementation. For more information, see Section 33.2.5, “Matching Protocols and Services to 
Check Access Requirements," on page 195. Information about user interface support is also 
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contained in the individual service sections, beginning with Part VI, “End User Services,” on 
page 185. 


33.1.2 NetWare Access Control to Directories and Files 


eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories 
and files. These trustee rights determine what the user or group can do with a directory or file, 
provided that the directory or file attributes allow the action. 


This is illustrated in Figure 33-2. 


Figure 33-2 Directory and File Access is determined by File System Trustee Rights 
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Table 33-1 explains the effective access rights illustrated in Figure 33-2. 
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Table 33-1 Access Rights Explanation 


eDirectory File System Trustee 
Objects Rights 

eDirectory File system trustee 
objects (in rights govern access 
most cases and usage by the 
users and eDirectory object 
groups) gain specified for the 
accesstothe directory or file to 
file system which the rights are 
through granted. 

eDirectory. 


Trustee rights are 
overridden by 
directory and file 
attributes. 


For example, even 
though Nancy has the 
Supervisor (all) 
trustee right at the 
directory (and, 
therefore, to the files it 
contains), she cannot 
delete File2 because 
it has the Read Only 
attribute set. 


Of course, Nancy 
could modify the file 
attributes so that File2 


could then be deleted. 


Directory and File 
Attributes 


Each directory and 
file has attributes 
associated with it. 
These attributes 
apply universally to 
all trustees 
regardless of the 
trustee rights an 
object might have. 


For example, a file 
that has the Read 
Only attribute is 
Read Only for all 
users. 


Attributes can be set 
by any trustee that 
has the Modify 
trustee right to the 
directory or file. 


Directories and Files 


The possible actions by the eDirectory 
users and group shown in this example are 
as follows: 


* Nancy has the Supervisor trustee 
right at the directory level, meaning 
that she can perform any action not 
blocked by a directory or file attribute. 


The Di (Delete Inhibit) and Ri 
(Rename Inhibit) Attributes on 
DirectoryA prevent Nancy from 
deleting or renaming the directory 
unless she modifies the attributes 
first. The same principle applies to 
her ability to modify File2. 


* Because Joe is a member of the 
Reporters group, he can view file and 
directory names inside DirectoryA 
and also see the directory structure 
up to the root directory. 


Joe also has rights to open and read 
any files in DirectoryA and to execute 
any applications in DirectoryA. 


* Because Bert is a member of the 
Reporters group, he can view file and 
directory names inside DirectoryA 
and also see the directory structure 
up to the root directory. 


Bert also has rights to open and read 
File1 and to execute it if it's an 
application. 


And Bert has rights to grant any 
eDirectory user access to File1. 


* Because all three users are members 
of the Reporters group, they can 
grant any eDirectory user access to 
File2. 


Of course, for Nancy this is 
redundant because she has the 
Supervisor right at the directory level. 


33.1.3 Understanding NSS-Specific Access Control Features 


Table 33-2 provides links to documentation that discusses the various NSS-specific access control 


features. 
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Table 33-2 Summary of NSS Access Control Documentation Links 


Feature 


Linux Mode vs. NetWare Mode 


NOTE: This applies only to Linux 
servers. 


To Understand 


The difference between Linux 
Mode access and NetWare Mode 
access. 


See 


“Access Control for NSS on 
Linux” in the File Systems 
Management Guide for OES. 


NetWare directory and file 
attributes on NSS volumes on 
OES Linux 


NOTE: This is about only what is 
displayed. POSIX permissions 
are not used for access control to 
NSS volumes. 


How NSS file attributes are 
reflected in Linux directory and 
file permissions viewable through 
POSIX. 


“Displaying Key NSS Directory 
and File Attributes as Linux 
POSIX Permissions” in the File 
Systems Management Guide for 
OES. 


33.1.4 Understanding General File System Access Control 


Table 33-3 provides links to documentation that discusses general access control features. 


Table 33-3 General File System Access Control 


Feature 


Access Control Lists (ACLs) on 
Linux 


To Understand 


How ACLs are supported on the 
most commonly used Linux 
traditional file systems and let you 
assign file and directory 
permissions to users and groups 
who do not own the files or 
directories. 


See 


“Access Control Lists in Linux” in 
the SUSE LINUX Enterprise 
Server 9 Administration Guide. 


Directory and file attributes 


Directory and file attributes on 
OES NetWare. 


“Directory and File Attributes for 
NSS Volumes or NetWare 
Traditional Volumes" in the File 
Systems Management Guide for 
OES. 


File system trustee rights 


File system trustee rights on 
NetWare (NSS and traditional 
volumes), including how NetWare 
determines effective file system 
trustee rights. 


“File-System Trustee Rights " in 
the File Systems Management 
Guide for OES. 


NetWare Connection Manager 


How the NetWare Connection 
Manager tracks active user 
connections and provides access 
permission information for NSS 
and Traditional volumes on 
NetWare. 


"The Connection Manager for 
NetWare” in the File Systems 
Management Guide for OES. 
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Feature 


Novell Client™ and the NetWare 
Connection Manager 


To Understand 


How the Novell Client works with 
the Connection Manager to 
ensure that users have correct 
access rights to the file system. 


See 


“Novell Client” in the File Systems 
Management Guide for OES. 


NetWare trustee rights and 
directory and file attributes 


How to control who can see 
which files and what they can do 
with them. 


“Understanding File System 
Access Control for NSS and 
NetWare Traditional File 
Systems’ in the File Systems 
Management Guide for OES. 


POSIX file system rights and 
attributes on Linux 


How to configure file system 
attributes on OES Linux servers. 


"POSIX Access Control Lists" in 
the File Systems Management 
Guide for OES. 


Rights to install applications on 
NetWare 


The access rights required to 
install applications on NetWare 
file systems. 


"Security Guidelines" in the File 
Systems Management Guide for 
OES. 


Security Equivalence in 
eDirectory 


The concept of Security 
Equivalence in eDirectory. 


33.1.5 Novell Client (NCP File Services) 


"eDirectory Objects and Security 
Equivalence’ in the File Systems 
Management Guide for OES. 


If you have not already determined whether to use the Novell Client on your network, we 
recommend that you consider the following information: 


* "About the Novell Client" on page 192 


* “Ts the Novell Client Right for Your Network?" on page 193 


* "Differences between Linux and Windows" on page 193 


About the Novell Client 


The Novell Client extends the capabilities of Windows and Linux desktops with access to NetWare 


and Open OES Linux servers. 


After installing Novell Client software, users can enjoy the full range of Novell services, such as 


* Authentication via Novell eDirectory. 


* Network browsing and service resolution. 


* Secure and reliable file system access. 


* Support for industry-standard protocols. 


The Novell Client supports the traditional Novell protocols (NDAP, NCP, and RSA) and 
interoperates with open protocols (LDAP, CIFS, and NFS). 
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Is the Novell Client Right for Your Network? 


Although Novell offers well seasoned services that don’t require Novell Client, (such as NetStorage, 
Novell iFolder® 2. 1x, and iPrint), many network administrators continue to prefer the Novell Client 
as the access choice for their network users for the following reasons: 


* They prefer eDirectory authentication to LDAP authentication because they believe it is more 
secure. 


* They prefer the NetWare Core Protocol (NCP) over the Microsoft CIFS protocol because they 
believe that CIFS 1s more vulnerable to the propagation of viruses on the network. 


Conversely, other network administrators are equally adamant that their users function better 
without the added overhead of running an NCP client on each workstation. 


We can't determine what is best for your network, but we do provide you with viable choices. 


Differences between Linux and Windows 


There are some differences between the Linux and Windows clients. These are documented in 
"Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/ 
XP" in the Novell Client for Linux 1.2 Administration Guide. 


33.1.6 Linux User Management Requirements 


Some services that run on OES Linux servers require that the users accessing them be (or, at least, 
appear to the Linux system to be) standard Linux users with Linux user credentials, such as a user 
ID (UID) and primary group ID (GID). 


So that eDirectory users can access these services, Novell provides the Linux User Management 
(LUM) technology. The impact of this on you as the network administrator is that these users and 
groups must be enabled for eDirectory LDAP authentication to the local server. For more 
information, see “Linux Access for eDirectory Users (LUM)" on page 117. 


33.2 Planning for Service Access 


After you understand the access options available to your network users, you can decide which will 
work best on your network. 


Planning tips for network services are contained in the following sections: 


* Section 33.2.1, “Planning Collaboration (Virtual Office) Access,” on page 193 
* Section 33.22, "Planning File Service Access," on page 194 

* Section 33.2.3, "Planning Print Service Access," on page 195 

* Section 33.2.4, “Planning White Pages (eGuide) Access," on page 195 


* Section 33.2.5, "Matching Protocols and Services to Check Access Requirements," on 
page 195 


33.2.1 Planning Collaboration (Virtual Office) Access 


All eDirectory users in the tree can access Virtual Office using their Web browser. All of the services 
that you have enabled are then available to them, depending on their access privileges. More 
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information about Virtual Office is available in Chapter 34, “Collaboration (Virtual Office),” on 
page 201. 


33.2.2 Planning File Service Access 


As you plan which file services to provide, be aware of the file service/volume and feature support 
limitations outlined in the following sections. 


Service Access to Volume Type Limitations 


Supported combinations are outlined in Table 33-4. 


Table 33-4 Service Access to Volume Types 


File Servi Linux Traditional NSS Volumes on iunio i NSS Volumes on 

le service Volumes Linux raciuona NetWare 
Volumes 

Native File Access No No No Yes 

Protocols (NFAP) 

NetStorage Yes Yes Yes Yes 

NetWare Core Protocol Yes Yes Yes Yes 

(NCP) 

Novell iFolder 2.1x Yes Yes No Yes 

Samba Yes Yes No No 


Details about the file systems supported by each file service are explained in the documentation for 
each service. 


Also be aware that file services support different sets of access protocols. A summary of the 
protocols available for access to the various OES file services is presented in Section 33.2.5, 
“Matching Protocols and Services to Check Access Requirements,” on page 195. 


Feature Support 


Table 33-5 Features Supported on Each Volume Type 


Linux Traditional NSS Volumes on NetWare NSS Volumes on 
Feature : Traditional 
Volumes Linux NetWare 
Volumes 
Directory quotas No Yes Yes Yes 
Login scripts Yes (if also Yes Yes Yes 
defined as an 
NCP volume) 
Mapped drives Yes (if also Yes Yes Yes 
defined as an 
NCP volume) 
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NetWare 


Feat Linux Traditional NSS Volumes on Traditi i NSS Volumes on 
SEMEN Volumes Linux n NetWare 
Volumes 
NetWare directory and Yes (if also Yes Yes Yes 
file attributes defined as an 
NCP volume) 
NetWare extended No Yes Yes Yes 
attributes 
Purge/Salvage No Yes Yes Yes 
Trustee rights Yes (if also Yes Yes Yes 
defined as an 
NCP volume) 
User space quotas No No Yes Yes 


33.2.3 Planning Print Service Access 


Novell iPrint has access control features that let you specify the access that each eDirectory User, 
Group, or container object will have to your printing resources. 


In the initial release of OES, access control for printers is supported only on the Windows iPrint 
Client. 


You can also use iPrint to set up print services that don't require authentication. 
For more information on access control and iPrint, see 


* Setting Printer Access Control on OES Linux (http://www.novell.com/documentation/oes/ 
iprint Ix/data/akey2rp.html). 


* Setting Printer Access Control on OES NetWare (http://www.novell.com/documentation/oes/ 
iprint_nw/data/akey2rp.html#akey2rp) 


33.2.4 Planning White Pages (eGuide) Access 


All eDirectory users have access to eGuide and the information you expose through it. No further 
access planning is necessary. 


For more information, see Chapter 37, “White Pages (eGuide),” on page 239. 


33.2.5 Matching Protocols and Services to Check Access 
Requirements 


Figure 33-3 illustrates the access interfaces available to users in OES and the services that each 
interface can connect to. It also shows the protocols that connect access interfaces with network 
services. 


To use the table for planning: 


1. Review the different access interfaces in the left column. 


2. Check the information to the right of each protocol listed in the second column. 
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3. In the right-most column, view the protocols supported by each service. 


Figure 33-3 Access Interfaces and Services, and the Protocols That Connect Them 
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33.3 Coexistence and Migration of Access 


Services 


Because NetWare Core Protocol (NCP) is now available on Linux, your Novell Client users can 
attach to OES Linux servers as easily as they have been able to attach to NetWare servers. In fact, 


they probably won't notice any changes. 


NCP Server for Linux enables support for login scripts, mapping drives to OES Linux servers, and 
other services commonly associated with Novell Client access.This means that Windows users with 
Novell Client installed can now be seamlessly transitioned to file services on OES Linux. 


For more information, see the NCP Server for Linux Administration Guide. 
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33.4 Access Implementation Suggestions 


After you plan and install OES services, be sure to provide clear access instructions to your network 
users. For a summary of access methods, see Appendix B, “Quick Reference to OES User Services,” 
on page 247. 


33.5 Configuring and Administering Access to 
Services 


The following sections discuss administering access to services. 


33.5.1 Password Management 


In OES, eDirectory users can change their own passwords if you have installed Virtual Office by 
completing the following steps: 


1 In a Web browser, launch Virtual Office by entering the following URL in the Address field: 
http://IP or DNS/vo 


where JP or DNS is the IP address or full DNS name of the OES server. 


2 Login to Virtual Office using the eDirectory username and password for the account being 
changed. 


Click the Padlock icon a 

Type the current eDirectory password. 
Type the new eDirectory password. 
Retype the password to confirm it. 
Click OK. 


"oo ^» o 


33.5.2 Linux (POSIX) File System Access Rights 


Access control to Linux traditional file systems is controlled through POSIX file system access 
rights or attributes associated with directories and files. In general, the directories and files can be 
accessed by three POSIX entities: 

* The user who owns the directory or file 

* The group who owns the directory or file 

* All other users defined on the system 


These users and the affected group are each assigned (or not assigned) a combination of three 
attributes for each directory and file: 


Attribute Effect on Directory when Assigned Effect on File when Assigned 

Read Lets the user or group view the Lets the user or group open and read 
directory's contents. the file. 

Write Let's the user or group create or delete Lets the user or group modify the file. 


files and subdirectories in the directory. 
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Attribute Effect on Directory when Assigned Effect on File when Assigned 


Execute Lets the user or group access the Lets the user or group run the file as a 
directory using the cd command. program. 


For more information, see “Configuring File System Trustees, Trustee Rights, Inherited Rights 
Filters, and Attributes” in the File Systems Management Guide for OES. 


33.5.3 NSS (and NetWare) File and Directory Trustee 
Management 


The File Systems Management Guide for OES contains a thorough discussion of file and directory 
trustee management in its “Configuring File System Trustees, Trustee Rights, Inherited Rights 
Filters, and Attributes” section. 


The following sections present brief information about managing trustees on NSS volumes. 


Changing File and Directory Attributes and Trustees Using NetStorage 


You can use the NetStorage Web browser interface to change attributes and trustees for directories 
and files on NSS volumes, but you can’t change them using a WebDAV connection to NetStorage. 


You cannot change attributes or trustees on NetWare Traditional volumes using NetStorage. 


Changing File and Directory Attributes and Trustee Rights Using the Novell Client 


You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights 
to an NSS volume on an OES Linux server. For more information, see “NetWare File Security” in 
the Novell Client for Windows Installation and Administration Guide and “Managing File Security" 
in the Novell Client for Linux 1.2 Administration Guide. 


Changing File Attributes at the Linux Shell Prompt 
Use the attrib command to change file and directory attributes on an NSS volume. 


The attrib command is also documented in “Attributes Utility for Linux” in the File Systems 
Management Guide for OES. 


Or you can enter the following command at the shell prompt: 


attrib --help 


Changing Trustee Rights at the Linux Shell Prompt 
To grant NSS trustee rights to an NSS volume, enter the following command: 


rights -f /full/directory/path -r rights mask trustee 
full.object.context 


where /full/directory/path is the path to the target directory on the NSS volume, rights mask is the 
list of NSS rights, and full.object.context is the object (User or Group) in its full eDirectory context 
including the tree name. 


For example, you might enter the following: 
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rights -f /data/groupstuff -r rwfc trustee 
mygroup.testing.example tr 


For a complete list of command options, enter rights at the shell prompt. 


The rights command is also documented in “Trustee Rights Utility for Linux” in the File Systems 
Management Guide for OES. 
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Collaboration (Virtual Office) 


IMPORTANT: The Virtual Office (VO) 1.5 product and associated patches are not included in OES 
SP2. However, version 1.6.1 updates of the product for both OES Linux and OES NetWare are 
available on the Web. For more information, see “Virtual Office” on page 22. 


Novell® Open Enterprise Server (OES) includes Virtual Office, a Web portal that provides access to 
OES services for your customers, employees and partners—anytime, anywhere. 


This section contains the following information: 
* Section 34.1, “Overview of Virtual Office,” on page 201 
* Section 34.2, “Planning for Virtual Office,” on page 202 
* Section 34.3, “Virtual Office Coexistence and Migration Considerations,” on page 202 
* Section 34.4, “Virtual Office Implementation Suggestions," on page 202 
* Section 34.5, “Virtual Office Maintenance Suggestions," on page 203 


34.1 Overview of Virtual Office 


Figure 34-1 on page 201 illustrates the services that Virtual Office makes accessible through a Web 
browser. 


Figure 34-1 How Virtual Office Works 
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The following table explains the information presented in Figure 34-1. 


Users Authentication Services 


Users access the Access to Virtual Office and Depending on the services you have installed and 


Virtual Office services its associated services is the way you have configured Virtual Office, users 
portal through a Web controlled by LDAP-based can do the following: 


browser. authentication through the 
eDirectory™ LDAP server. 


Although shown separately, 
eDirectory could be 
installed on the OES server. : 


Create and participate in virtual teams of 
eDirectory users 


* Access files through NetStorage 


Print to any iPrint printers 
Access eGuide 
Access an e-mail server (if configured) 


Change their eDirectory passwords 


You determine what services links are available. 


34.2 Planning for Virtual Office 


For information on what is needed to configure Virtual Office, see the Novell Virtual Office 


Configuration Guide. 


34.3 Virtual Office Coexistence and Migration 


Considerations 


There is no migration path for Virtual Office servers. 


34.4 Virtual Office Implementation Suggestions 


If you install a Virtual Office server pattern, the following services are included by default: 


* eGuide 

* iPrint 

* NetStorage 

* Novell? iFolder 2.1x 

* QuickFinder™ Server 4.0 


Each of these services, except eGuide, requires further configuration before it can be used. 
Instructions for preparing each service for use are included in the service's section in this guide. 


Although Virtual Office doesn't require additional configuration, you can easily change the default 


settings using iManager. For example, you can 


* Post messages to the Virtual Office home page. 


* Control whether service icons appear in the interface. 


* Configure Virtual Office to access NetStorage or eGuide through an Internet proxy server. 


* Configure Virtual Office to access other file, print, or e-mail services. 
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For information on getting started with Virtual Office, see the Novell Virtual Office Configuration 
Guide and the online help installed with Virtual Office. 


34.5 Virtual Office Maintenance Suggestions 


As your network grows and changes over time, you can use iManager to change your Virtual Office 
installation so that it continues to provide single-point access to network services. For more 
information, see the Novell Virtual Office Configuration Guide. 
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File Services 


The file services in Novell? Open Enterprise Server (OES) let you provide Web- and network-based 
file services to your network users. 


This section contains the following information: 


* Section 35.1, “Overview of File Services,” on page 205 

* Section 35.2, “Planning for File Services,” on page 217 

* Section 35.3, “Coexistence and Migration of File Services,” on page 220 

* Section 35.4, “Aligning NCP and POSIX File Access Rights,” on page 220 

* Section 35.5, “Native File Access Protocols Implementation and Maintenance," on page 224 
* Section 35.6, "NCP Implementation and Maintenance," on page 224 

* Section 35.7, “NetStorage Implementation and Maintenance,” on page 225 


* Section 35.8, “Novell iFolder 2.1x Implementation and Maintenance," on page 228 


* Section 35.9, "Novell iFolder 3.x Implementation and Maintenance," on page 229 


* Section 35.10, “Samba Implementation and Maintenance,” on page 231 


35.1 Overview of File Services 


The file service components in OES include the following: 


* Native File Access Protocols (page 206): Lets Linux, Macintosh, UNIX, and Windows users 
access and store files on OES NetWare? servers using their native file access methods. 


* NetWare Core Protocol (page 207): Provides NetWare Core Protocol™ (NCP™) access to 
NetWare servers and to NCP volumes that you define on OES Linux server partitions. 

* NetStorage (page 208): Provides network and Web access to various Linux, NetWare, and 
Windows file services. 
The NetStorage server doesn't actually store files and folders. Rather, it provides access to 
other file services on OES Linux and NetWare servers that support the native TCP/IP protocol. 

* Novell iFolder 2.1x (page 213): Provides a Web- and network-based repository (Novell 
iFolder? server) that stores master copies of locally accessible files on the OES server. 


* Novell Samba (page 216): Provides Windows (CIFS and HTTP-WebDAV) access to files 
stored on an OES Linux server's file system. 


The file service components in OES are all mutually compatible—you can install one or more of 


them on the same OES server. 


35.1.1 Using the File Services Overviews 


Each graphical overview in the following sections introduce one of the OES file service 
components. If visual presentations help you grasp basic concepts, continue with the following 
overviews. If you prefer to skip the overviews, go to Section 35.2, “Planning for File Services,” on 
page 217. 
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35.1.2 Native File Access Protocols 


The Novell Native File Access Protocols (NFAP) product lets users on Macintosh, Windows, and 
UNIX workstations access and store files on OES NetWare servers without installing any additional 


software, such as the Novell Client™ (see Figure 35-1). 


Figure 35-1 Native File Access Protocol Support on NetWare 
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The following table explains the information illustrated in Figure 35-1. 


Access Methods Authentication/File Encryption 


Linux, UNIX, Macintosh, and Windows All file service access is 
workstation users can create drive controlled by LDAP-based 
mappings, mount points, etc., to the authentication through the 
NetWare server. Then they can access — eDirectory'" LDAP server. 
the files as though they were stored on a 


network server that is native for the Although shown separately, 
respective platforms. eDirectory could be installed on 


the OES server. 


After the service is fully 
configured, users can log in just 
as they would to access files on 
other native systems. 
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NFAP Services 


Files are stored on NSS 
volumes on OES NetWare 
servers. The same files 
can be accessed by users 
on different platforms. 


35.1.3 NetWare Core Protocol 


NetWare Core Protocol (NCP) is the technology beneath many of the network services for which 


NetWare is famous. 


And now in OES, NCP is also available on Linux. The Novell NCP Server for Linux provides the 
rich file services that Novell is known for. Windows users who run Novell Client™ software can 
now access data, manage files and folders, map drives, etc., using the same methods as they do on 


NetWare servers. 


Figure 35-2 illustrates the basics of NCP file services. For more information on how NCP can help 
you manage access to network resources, see Access" on page 187. 


Figure 35-2 NCP Services for Linux and NetWare 
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The following table explains the information illustrated in Figure 35-2. 


Access is through an NCP All file service access is Files are stored on NetWare or 
NCP volumes that the 


administrator has created. 


Access Methods Authentication 
client—specifically, the Novell controlled by eDirectory 
Client. authentication. 


The same core set of NetWare file 
attributes are available on both 
Linux and NetWare. 


File Services 207 


35.1.4 NetStorage 


NetStorage makes network files available anywhere, any time. 


Common Network File Storage Problems 


Network file access is often confusing and frustrating to users, as illustrated in Figure 35-3. 


Figure 35-3 Common Network File Storage Problems 
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The following table explains the information illustrated in Figure 35-3. 
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Access Methods Authentication 


Browser or PDA access is Authentication helps 
business critical to those protect information 


Target File Systems 


Havingdiverse file 
storage services only 


Solution: NetStorage 


Novell NetStorage ties 
all of these issues 


who must travel. However, assets, buthaving diverse adds to the complexity together with an easy- 


authentication methods 
leads to frustration and 
lost productivity. 


access method support 
varies widely among file 
service providers. 


Novell NetStorage on Linux 


and confusion. 


to-administer, easy-to- 
use solution. 


NetStorage on Linux provides local and Web access to files on many systems without requiring the 


Novell Client (see Figure 35-4). 


Figure 35-4 How NetStorage Works on OES Linux 
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The following table explains the information illustrated in Figure 35-4. 
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Access Methods 


Users have read and write 
access to files from 


* Windows Explorer: 


This is enabled by the 
HTTP protocol with 
WebDAV extensions. 


* Browsers: Users can 
access files directly by 
connecting to the 
NetStorage server. 


* PDAs: PDA users with 
network connections 
can access their files 
as well. 


Access is granted through 
login script drive mapping 
(NCP server required) or 

through Storage Location 

Objects. 


Authentication 


File service access is 
controlled by LDAP- 
based authentication 
through the eDirectory 
LDAP server. 


Although shown 
separately, eDirectory 
could be running on 
the OES server. 
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NetStorage Server 


The NetStorage 
Server receives and 
processes connection 
requests and provides 
access to storage on 
various servers on the 
network. 


A Novell iFolder 
server running on the 
same server as 
NetStorage is 
automatically 
available through 
NetStorage to Novell 
iFolder users. 


Target Servers 


NetStorage on Linux can 
connect eDirectory users 
to their files and folders 
stored in the following 
locations: 


* The same targets as 
NetWare (see 
Figure 35-5 on 
page 211) if the 
NCP server is 
running 


* Windows workgroup 
shares (CIFS or 
Samba shares) 


* Linux traditional 
volumes through an 
SSH connection. 


Additionally, Linux 
volumes can also be 
made available as NCP 
volumes. 


Novell NetStorage on NetWare 


NetStorage on NetWare provides local and Web access to files on NetWare and Linux without 
requiring the Novell Client software (see Figure 35-5). 


Figure 35-5 How NetStorage Works on OES NetWare 


Access Ice Bec aoc basi d Server Target pue 


on 
NetWare 


Windows iFolder running 
Explorer on the same 
== NetWare server 
HTTP um j 
NetWare Traditional 
volume 
Browser | 
—— | Lg 
- , A = 
z L 
: Í NSS 
| NetStorage volume 
| 


g 


NCP 
volume 


eDirectory/ LDAP 
(OES server) 


The following table explains the information illustrated in Figure 35-5. 
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Access Methods 


Authentication 


NetStorage Server 


Users have read and write 
access to files from 


* Windows Explorer: 


This is enabled by 
the HTTP protocol 


File service access is 
controlled by LDAP- 
based authentication 
through the eDirectory 
LDAP server. 


Although shown 


with WebDAV 
extensions. 


separately, eDirectory 
could be running on the 


* Browsers: Users OES server. 


can access files 
directly by 
connecting to the 
NetStorage server. 


* PDAs: PDA users 
with network 
connections can 
access their files as 
well. 


Access is granted through 
login script drive mapping 
or through Storage 


The NetStorage server 
receives and 
processes connection 
requests and provides 
access to storage on 
various servers on the 
network. 


A Novell iFolder server 
running on the same 
server as NetStorage 
is automatically 
available to Novell 
iFolder users. You 
must configure 
NetStorage if you want 
access to the Novell 
iFolder data stored on 
other servers. 


Target Servers 


NetStorage on NetWare 
can connect eDirectory 
users to their files and 
folders stored in the 
following locations: 


* NetWare Traditional 


volumes where 
users have access 
rights 


* NSS volumes on 
either NetWare or 
OES Linux servers 
where users have 
access rights 


* Any administrator- 
defined NCP 
volumes created on 
an OES Linux 
server 


Location Objects. 


212 Novell OES SP2 Planning and Implementation Guide 


35.1.5 Novell iFolder 2.1x 


Novell iFolder 2.1x provides a Web- and network-based repository (Novell iFolder server) that 


stores master copies of locally accessible files (see Figure 35-6). 


Figure 35-6 How Novell iFolder Works 
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The following table explains the information illustrated in Figure 35-6. 
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Access Methods Authentication/File Encryption Novell iFolder Services 


Linux and Windows workstation users All file service access is Local and network copies 
who have the Novell iFolder Client controlled by LDAP-based of each file can be 
installed can access and modify their authentication through the automatically 

files in a workstation folder. Changes are eDirectory LDAP server. synchronized by the Novell 
automatically synchronized with the iFolder Client and Server 
Novell iFolder server. Although shown separately, pieces, or users can 


eDirectory could be installed on manually synchronize the 
Windows users who install NetDrive can the OES server. 
map a network drive to the Novell 


iFolder server. Files are modified on the _ Files can be encrypted using a 
Server passphrase for transmission to 


and from storage on the Novell 
NetStorage is the Web-access solution — iFolder server. 
for Novell iFolder 2.1x. 


files. 


Novell iFolder 2.1x offers other access options and features not shown in this graphic, including 


* Web access to files on other Novell iFolder 2.1x servers through a seamless integration with 
NetStorage. 


* Concurrent access to multiple accounts and collaborative access to a single account. 


* Thin-client support. 
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35.1.6 Novell iFolder 3.1 


Novell iFolder 3.1 supports multiple iFolders per user, user-controlled sharing, and a centralized 
network server for file storage and secure distribution (see Figure 35-7). 


Figure 35-7 How Novell iFolder Works 
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The following table explains the information illustrated in Figure 35-7. 


Access Methods Authentication/File Encryption Novell iFolder Services 
Linux, Macintosh, and Windows All file service access is Local and network copies 
workstation users who have the Novell controlled by LDAP-based of each file are 

iFolder Client installed can access and authentication through the automatically 

modify their files in one or more eDirectory LDAP server. synchronized by the Novell 
workstation folders. Changes are iFolder Client and Server 
automatically synchronized with the Although shown separately, pieces. 

iFolder 3.x Enterprise servers. eDirectory could be installed on 


the OES server. 
A Web interface lets users access their : 
files from any computer with an active Files can be encrypted for 
network or Internet connection. transport using SSL connections 
(HTTPS). 
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Additional overview information is available in “Overview of Novell iFolder 3.x” in the Novell 
iFolder 3.x Administration Guide. 


For detail about new features in iFolder 3 and to compare differences between iFolder 2.1x and 
iFolder 3, see “What's New” in the Novell iFolder 3.x Administration Guide. 


35.1.7 Novell Samba 


Samba on an OES Linux server provides Windows (CIFS and HTTP-WebDAV) access to files 
stored on the OES server (see Figure 35-8). 


Figure 35-8 How Samba on OES Works 
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The following table explains the information illustrated in Figure 35-8. 
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Access Methods Authentication File Storage Services 


eDirectory users on Windows All file service access is Of course, the same files can 


workstations have two native Windows controlled by LDAP-based also be accessed through 
file access options (provided their authentication through the other OES file services (such 
eDirectory accounts have been enabled eDirectory LDAP server. as NetStorage) that connect to 
for LUM and Samba): Linux volumes. 
Although shown separately, 
* CIFS Client Access eDirectory could be installed 


on the OES server. 
Windows Explorer users can 


access and modify files on the 
Samba server just as they would on 
any workgroup server share. 


* Web Folder 


Users can create Web Folders in 
Windows Explorer or Internet 
Explorer. 


Files on the OES Linux server 
running Samba are accessed and 
maintained using the HTTP- 
WebDAV protocol. 


Samba is an open source initiative. In addition to Linux support, Samba initiatives provide support 
for other platforms such as Apple* Computer's operating systems. More information is available on 
the Web. See *Web Links" in the Samba Administration Guide for OES Linux SP2. 


35.2 Planning for File Services 


Functional overviews of each file service product are included in Section 35.1, “Overview of File 
Services," on page 205. 


35.2.1 Deciding Which Components Match Your Needs 


To decide which file service components to install, you should match service features listed in Table 
35-1 to your network's file service requirements. 


Table 35-1 OES File Services Feature Breakdown 


Product Access Method Features Back-End Storage Features Security Features 
Native File Access * Linux File Managers * NetWare volumes * Secure LDAP 
Protocol (NFAP) Authentication 


* Macintosh Finder* 
(NetWare only) aie bad 
* UNIX File Managers 


* Windows Explorer 


File Services 
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Product Access Method Features Back-End Storage Features Security Features 
NCP Server Novell Client (NCP client) * Any Linux volumes * eDirectory 
(NetWare Core (including NSS) that Authentication 
Protocol) are defined as NCP 
volumes 
* NetWare volumes 
NetStorage * Any supported * iFolder server (on same * Secure LDAP 
browsers machine) Authentication 
* Personal Digital * Linux traditional 
Assistant (PDA) volumes 
* Remote (browser- * NetWare volumes 
based) * NCP volumes 
. Web Folders (on s NSS volumes 
either an Internet 
Explorer browser or * Samba (SMB) servers 
in Windows Explorer) — . windows (CIFS servers 
* Windows Explorer 
NOTE: NetStorage provides 
access only to other file 
services. 
Novell iFolder 2.1x * Linux File Managers * Novell iFolder file * Files are 


Offline access with 
file synchronization 
(between local and 
network copies) on 
reconnect 


Windows Explorer 


repository on OES 
server 


encrypted on the 
Novell iFolder 
server and for 
transport as well. 


* Secure LDAP 
Authentication 


Novell iFolder 3.x 


Linux File Managers 
Macintosh Chooser 


Offline access with 
file synchronization 
(between local and 
network copies) on 
reconnect 


Web browsers 


Windows Explorer 


* Novell iFolder 3 
Enterprise server file 
repository on OES 
Linux server 


* Files can be 
encrypted for 
transport using 
SSL (HTTPS). 


* Secure LDAP 
Authentication 


Novell Samba 
(Linux only) 


Any CIFS/SMB client 


Remote access (Web 
Folders in the 
Internet Explorer 
browser) 


Windows Explorer 


* Linux traditional file 
System on OES server 


35.2.2 Planning Your File Services 


* Secure LDAP 
Authentication 


1 For the file services you plan to install, compute the total additional RAM required (above the 
basic system requirement). 
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Note the following points: 


Native File Access Protocols: There are no additional RAM requirements. 


NCP: There are no additional RAM requirements. 


NetStorage: There are no additional RAM requirements. 


Novell iFolder 2.1x: Suggestions for calculating the additional RAM you need are 
contained in “Preparing to Install iFolder 2.1” in the Novell iFolder 2.1 Installation and 
Administration Guide. 


Novell iFolder 3.x: Suggestions for calculating the additional RAM you need are 
contained in “Server Workload Considerations” in the Novell iFolder 3.x Administration 
Guide. 


Samba: There are no additional RAM requirements. 


2 Record the additional required RAM in your planning notes. 


3 For the file services you plan to install, compute the total additional disk space required (above 


the basic system requirement). 


Note the following points: 


needs. Because all platforms can access the same storage space, you need only consider 
the total space needed, not the platform-specific requirements. 


NCP: Allocate enough disk space to meet your users’ file storage needs. On Linux, this 
space must exist on partitions you have designated as NCP volumes. On NetWare, all 
volumes are accessible through NCP. 


NetStorage: There are no disk space requirements because NetStorage provides access 
only to other file storage services. 


Novell iFolder 2.1x: Suggestions for calculating the additional disk space you need are 
contained in “Preparing to Install iFolder 2.1” in the Novell iFolder 2.1 Installation and 
Administration Guide. 


Novell iFolder 3.x: Suggestions for calculating the additional disk space you need are 
contained in “Server Workload Considerations" in the Novell iFolder 3.x Administration 
Guide. 


Samba: Allocate enough disk space for the partition containing the /home directory to 
meet your users’ file storage needs. 


4 Record the additional required disk space in your planning notes. 


5 For the file services you plan to install, refer to the information in the OES installation guides 
indicated in the following table and note your planning choices on your planning sheet. 


File Service 


Linux Planning References NetWare Planning References 
Product 
Native File N/A The following sections in the OES Native 
Access File Access Protocols Guide. 
Protocols 


* "Preparing for CIFS and AFP” 


* "Administrator Workstation 
Prerequisites" 


* "Client Computer Prerequisites" 


Native File Access Protocols: Allocate enough disk space to meet your users' file storage 
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File Service 


Product Linux Planning References NetWare Planning References 

NCP “Novell NCP Server’ in the OES Linux Installed by default. No planning 
Installation Guide required. 

NetStorage "Novell NetStorage” in the OES Linux “NetStorage Install" in the OES NetWare 
Installation Guide Installation Guide 


Novell iFolder "Novell iFolder 2.x” in the OES Linux — "iFolder Server Options" in the OES 
2.1x Installation Guide NetWare Installation Guide 


Novell iFolder "Novell iFolder 3.x” in the OES Linux N/A. 
3.x Installation Guide 


Samba “Novell Samba” in the OES Linux N/A 
Installation Guide 


35.3 Coexistence and Migration of File Services 


The links in Table 35-2 are to sections located in the OES Coexistence and Migration Guide. 


Table 35-2 File Services Coexistence and Migration Links 


File Services Product Link to Coexistence and Migration Information 
Native File Access Protocols “Native File Access Protocols” 

NCP “Novell Client (NCP)” 

NetStorage “NetStorage” 

Novell iFolder 2.1x “iFolder 2.1.x” 

Novell iFolder 3.x “iFolder 3.x” 

Samba “Samba” 


35.4 Aligning NCP and POSIX File Access Rights 


NetWare administrators have certain expectations regarding directory and file security. For example, 
they expect that home directories are private—that only the directory owners can see directory 
contents. However, becuase of the differences in the NetWare Core Protocol (NCP) and POSIX file 
security models (see Section 30.5, “Comparing the Linux and the NetWare Core Protocol (NCP) 
File Security Models,” on page 164) that is not the case by default on POSIX file systems. 


Use the information in this section to understand how you can configure POSIX directories to more 
closely align with the NCP model. 

* Section 35.4.1, “A Brief Explanation of Managing Access Rights,” on page 221 

* Section 35.4.2, “Providing a Private Work Directory,” on page 222 

* Section 35.4.3, “Providing a Group Work Area,” on page 222 

* Section 35.4.4, “Providing a Public Work Area,” on page 223 

* Section 35.4.5, "Setting Up Rights Inheritance,” on page 223 
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35.4.1 A Brief Explanation of Managing Access Rights 


NCP directories are, by default, private. When you assign a user or a group as a trustee of a directory 
or file, those trustees can automatically navigate to the assigned area and exercise whatever access 
privileges you have assigned at that level and below. You can assign as many trustees with different 
access privileges as suits your purposes. 


On the other hand, traditional Linux (POSIX) directories can be accessed through three sets of 
permissions defined for each file object on a Linux system. These sets include the read (r), write (w), 
and execute (x) permissions for each of three types of users: the file owner, the group, and other 
users. The Linux kernel in OES also supports access control lists (ACLs) to expand this capability. 
However, ACLs are outside the scope of this discussion. For more information on ACLs, see 
“Access Control Lists in Linux” in the SUSE LINUX Enterprise Server 9 Administration Guide. 


The Linux shell chown command lets you change the file owner and/or group to a LUM user or a 
LUM-enabled group. For example, chown -R userl /home/userl would change the owner 
of the user1 home directory and all its subdirectories and files to userl. For more information, see 
the chown man page on your OES Linux server. 


The Linux shell chmod command provides a very simple and fast way of adjusting directory and 
file access privileges for the three user types: owner, group, and other (all users). In its simplest 
form, the command uses three numbers, ranging from 0 through 7, to represent the rights for each of 
the three user types. The first number sets the rights for the owner, the second number for the group, 
and the third number for all others. Each number represents a single grouping of rights, as follows: 


Number Setting Binary Representation 
0 — 000 
1 an X 001 
2 -w- 010 
3 -WX 011 
4 r-- 100 
5 r-x 101 
6 rw- 110 
7 rwx 111 


Those familiar with the binary number system find this method an easy way to remember what each 
number represents. 


For example, the command chmod 777 /home would grant read, write and execute rights (7) to 
owner, group, and other for the /home directory, while chmod 700 /home would grant the three 
rights to only the directory owner, with group and other having no rights. chmod 750 /home 
would grant rwx rights to the owner, r-x rights to the group, and no rights to other users. 


For more information about the chmod command, see the chmod man page on your OES Linux 
server. 
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35.4.2 Providing a Private Work Directory 


To make an NCP directory private, you assign a single user as the trustee and make sure that no 
unexpected users or groups have trustee rights in any of the parent directories. 


To provide a private work area on a traditional Linux volume: 


1 Make the user is the directory owner. For example, you could use the chown command to 
change the owner (user), 


chown -R user: /path/user dir 


where user is the eDirectory user, path is the file path to the work directory, and user. dir is the 
work directory name. The -R option applies the command recursively to all subdirectories and 
files. 


2 Grant only the user read, write, and execute rights (rwx --- --- ) to the directory. For example, 
you could use the chmod command as follows, 


chmod -R 700 /path/user dir 
where path is the file path to the work directory, and user_dir is the work directory name. 


3 Check each parent directory in the path up to the root  (/) directory, making sure that all 
users (referred to as “other users" in Linux) have read and execute rights (r-x) in each directory 
as shown by the third group of permissions (... ... r-x). (Owner and group permissions are 
represented by dots (.) because their settings are irrelevant.) 


The reason for this is that, in the parent directories the directory owners are "other" users and 
needs to be able to see the path down to their private directory. 


Because r-x 1s the default for most directories on Linux, you probably won't need to change the 
permissions. 


35.4.3 Providing a Group Work Area 


On an NCP volume, you can provide a group work area by assigning users to a group and then 
granting the group trustee rights to the directory. As an alternative, if users need different levels of 
access within the work area, you can assign each user as a trustee and grant only the rights needed. 


To provide a group work area on a traditional Linux volume: 


1 Set group ownership for the directory using the chown command. For example, you could 
enter 


chown -R :group /path/group dir 


where group is the group name, path is the file path to the work area, and group dir is the 
group work directory. The -R option applies the action to all subdirectories and files in 
group dir. 


2 Grant the group read, write, and execute rights (. .. rwx . . .). (Owner and other permissions are 
represented by dots (.) because their settings are irrelevant.) 


For example, you could enter 


chmod -R 770 /path/group dir 
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where path is the file path to the work area, and group_dir is the group work directory. The 
second 7 grants rwx to the group. (The example assumes that the owner of the directory should 
also retain all rights. Therefore, the first number is also 7.) 


3 Check each parent directory in the path up to the root (/) directory, making sure that the 
group has read and execute rights (r-x) in each directory as shown by the second group of 
permissions (... rx ...). 


Use the chmod command to adjust this where necessary by specifying the number 5 for the 
group permission. For more information, see *A Brief Explanation of Managing Access 
Rights" at the beginning of this section. 


35.4.4 Providing a Public Work Area 


On an NCP volume, you can provide a public work area by assigning [Public] as a trustee and then 
granting the required trustee rights to the directory. 


For the work area itself, you would set permissions for the owner, group, and all others to read, 
write, and execute rights (rwx rwx rwx) (chmod 777). 


All others must also have read and execute rights on the system in each parent directory in the path 
all the way to the root of the Linux system. This means that you set permissions for all parent 
directories to rwx --- r-x. 


To provide a public work area on a traditional Linux volume: 


1 Assign all rights (rwx) to other (all users) using the chmod command. For example, you could 
enter 


chmod -R 707 /path/group dir 


where path is the file path to the work area, and group. dir is the group work directory. The 
third 7 grants rwx to the group. (The example assumes that the owner of the directory should 
also retain all rights and that the group setting is irrelevant.) 


2 Check each parent directory in the path up to the root  (/) directory, making sure that all 
users (other) have read and execute rights (r-x) in each directory as shown by the third group of 
permissions (... ... rwx). (Owner and group permissions are represented by dots (.) 
because their settings are irrelevant.) 


Use the chmod command to adjust this where necessary by specifying the number 5 for the 
other permission. For more information, see “A Brief Explanation of Managing Access Rights" 
at the beginning of this section. 


35.4.5 Setting Up Rights Inheritance 


The final step in aligning POSIX rights to the NCP model is setting the Inherit POSIX Permissions 
volume flag in the NCP configuration file so that all files and subdirectories created in these areas 
inherit the same permissions as their parent directory. For instructions, see “Setting Volume 
Definition Flags" in the .NCP Server for Linux Administration Guide. 
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35.5 Native File Access Protocols 
Implementation and Maintenance 


After installing a NetWare server, if you want to provide native access to Linux, Macintosh, UNIX, 
or Windows users, there are tasks to complete for each of the platforms. 


The OES Native File Access Protocols Guide contains the following relevant sections: 


* “Working with UNIX Machines” 
* “Working with Macintosh Computers” 
* “Working with Windows Computers” 


To ensure a successful NFAP implementation, complete all the instructions in the sections for your 
chosen platforms. 


Because NFAP provides native protocol access to files on NSS volumes on the NetWare server, the 
service is covered by maintenance tasks that apply to NSS file systems. For information on 
maintaining file services on NetWare, see the “Open Enterprise Server SP2 Documentation” links in 
the online documentation. 


35.6 NCP Implementation and Maintenance 


The implementation information in the following sections can help you get started with NCP on 
OES servers. 


35.6.1 NCP Services on NetWare 


After installing an OES NetWare server, eDirectory users on Windows workstations with the Novell 
Client installed can access all the directories and files that you have granted them access to. 


A common way for granting access is using the menu button (the red N) located in the system tray 
(taskbar) on most workstations after the Novell Client is installed. More information about 
managing file access is available in Chapter 33, “Access,” on page 187. 


35.6.2 Novell NCP Server for Linux 


If you have installed the NCP Server for Linux, the same eDirectory/Novell Client users can access 
files on the OES Linux server. However, there are no home or data volumes available initially. These 
require a setup step not required on NetWare. 


The Default NCP Volume 


The NCP Server for Linux enables NCP access to NCP volumes defined on the OES Linux server. 
When you install the NCP server, the installation creates one NCP volume named SYS: that maps 
to the /usr/novell/sys folder on the Linux server. 


This NCP volume contains LOGIN and PUBLIC directories that, in turn, contain a small subset of 
the files found on a NetWare server in the directories with the same names. 
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Creating Home and Data Volume Pointers 


Initially, there are no NCP home directories or data volumes available to Novell Clients that attach 
to an OES Linux server. 


If you want users to have NCP home or data directories on the server, you must decide where you 
want these directories to live on the server’s partitions and then create NCP volumes using the 
NCPCON utility at the Linux shell prompt. 


For example, if you wanted to create an NCP volume (pointer) named HOME and mount it to the 
/usr folder on the Linux server, you would enter the following command at the shell prompt: 


ncpcon create volume HOME /usr 


After issuing this command, when a Novell Client attaches to the OES Linux server, the HOME : 
volume appears along with the SYS: volume created by the installation. 


IMPORTANT: NCP Volume pointers are always created with uppercase names (HOME :, SYS:, 
etc.) regardless of the case specified when the volume pointers are created. 


35.6.3 Assigning File Trustee Rights 


You can use the same methods for assigning file trustee rights on NCP volumes on OES Linux 
servers that you use when assigning them on NetWare. For example, the Novell Client can be used 
by anyone with the Access Control right on the volume, or the root user can use the ncpcon utility > 
rights command at a shell prompt to administer NCP trustee rights. See “Changing NCP File System 
Rights"in the NCP Server for Linux Administration Guide. (The ncpcon rights command is related 
to but not the same as the rights utility used to manage trustees on NSS volumes.) 


35.6.4 NCP Maintenance 


Because NCP provides Novell Client access to files on OES NetWare and OES Linux servers, the 
service is covered by maintenance tasks that apply to file systems on these servers. For information 
on maintaining file services, see the “Open Enterprise Server SP2 Documentation” section in the 
online documentation. 


35.7 NetStorage Implementation and 
Maintenance 


The following sections are provided only as introductory information. For more information about 
using NetStorage, see the OES NetStorage Administration Guide for NetWare. 


35.7.1 About Automatic Access and Storage Locations 
The inherent value of NetStorage lies in its ability to connect users with various servers and file 


systems. Some connections are created automatically depending on the OES platform where 
NetStorage is installed. Other connections must be created by the network administrator. 
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Table 35-3 NetStorage Access Summary 


OES Platform Automatic Access 


Linux Novell iFolder folders on the same server 


NSS volumes on the same server that use the default mount point (/media/ 
nss) 


Drive mapping locations in login scripts of the user logging in (if the NCP 
Server for Linux is running on the server) 


NetWare 


User Home directories 


Novell iFolder folders on the same server 


Drive mapping locations in login scripts of the user logging in 


To provide access to file systems not listed in Table 35-3, you must create Storage Location objects 
in eDirectory. For instructions on creating Storage Locations, see the following: 


* For Linux: “Creating a Storage Location Object" in the OES NetStorage Administration Guide 
for Linux 


* For NetWare: “Creating a Storage Location Object" in the OES NetStorage Administration 
Guide for NetWare 


35.7.2 Novell iFolder Doesn’t Use Storage Locations 


Novell iFolder access in NetStorage is controlled through the iFolder Storage Provider task in 
iManager and does not involve Storage Location objects. For more information about the iManager 
task, see the context-sensitive help in iManager. 


35.7.3 Novell iFolder 2.1x Requires Additional Setup 


If your NetStorage installation has a Novell iFolder link, you must complete all the instructions in 
Section 35.8, “Novell iFolder 2.1x Implementation and Maintenance," on page 228 before 
attempting to let users access the service. 


35.7.4 Assigning User and Group Access Rights 


Because NetStorage provides access to other file storage systems, the users and groups that access 
the other systems through NetStorage must be created and granted file and directory access on those 
systems. 


For example: 
* NetWare users must exist in the eDirectory tree where the NetWare server resides and have 
access rights to the files and directories on the NetWare server. 


* Windows users must exist on the Windows systems and have the required access rights to the 
files and directories on those systems. 


* If your users will access Samba files on an OES Linux server, they must be enabled for LUM 
and Samba access on the OES Linux server. For more information, see Section 18.1.5, 
“Services in OES Linux That Require Linux-Enabled Access,” on page 119. 
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IMPORTANT: The usernames and passwords used to authenticate to the NetStorage (OES) server 
through eDirectory must match the usernames and passwords defined on the target systems. 


35.7.5 Authenticating to Access Other Target Systems 


The OES installation establishes a primary authentication domain for NetStorage. To access any 
storage location, users must exist somewhere in this primary domain. When it receives an 
authentication request, NetStorage searches for the username in the context you specified during 
OES installation and in all its subcontexts. 


Authentication to other file systems is often controlled by other authentication domains. For 
example, you might create a storage location on the OES server that points to a NetWare server that 
resides in a different eDirectory tree. To access this storage location, users must authenticate to the 
other tree. 


This means that you must specify an additional context in the NetStorage configuration as a 
nonprimary authentication domain. 


When defining a nonprimary authentication domain, you must 


* Ensure that the username and password in the nonprimary domain matches the username and 
password in the primary domain. 


* Specify the exact context where User objects reside. NetStorage doesn't search the subcontexts 
of nonprimary authentication domains. 


For more information about managing NetStorage authentication domains, see "Authentication 


Domains" in the OES NetStorage Administration Guide for NetWare. 


35.7.6 NetStorage Authentication Is Not Persistent by Default 


By default, users must reauthenticate each time they access NetStorage in a browser. This is true 
even if another browser window is open and authenticated on the same workstation. 


The reason for this is that persistent cookies are not enabled by default. 
This setting can be changed. For more information, see “Persistent Cookies" in the OES NetStorage 


Administration Guide for NetWare. 


35.7.7 NetStorage Maintenance 


Your NetStorage installation can change as your network changes and evolves by providing access 
to new or consolidated storage locations. For information about the kinds of tasks you can perform 
to keep your NetStorage implementation current, see the following: 


* For Linux: OES NetStorage Administration Guide for Linux 
* For NetWare: OES NetStorage Administration Guide for NetWare 
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35.8 Novell iFolder 2.1x Implementation and 
Maintenance 


The following implementation pointers are provided only as introductory information. To begin 
using Novell iFolder, see the Novell iFolder 2.1 Installation and Administration Guide. 


35.8.1 Managing Novell iFolder 2.1x 


You manage Novell iFolder through the iFolder Management Console, which you can access 
directly or through iManager. For more information, see “Using the iFolder Management Console to 
Configure Your iFolder System" in the Novell iFolder 2.1 Installation and Administration Guide. 


35.8.2 Configuring the Novell iFolder Server 


Before you let users log in to the Novell iFolder 2.1x server, complete the setup tasks in 
“Configuring Your First iFolder Server" in the Novell iFolder 2.1 Installation and Administration 
Guide. 


35.8.3 Creating and Enabling Novell iFolder 2.1x Users 


To provide user access to Novell iFolder 2.1x: 


1. Create User objects in eDirectory. 
2. Enable the User objects as Novell iFolder users. 


3. Have users create their Novell iFolder accounts by installing and using the Novell iFolder 
Client. They can then access Novell iFolder in the following ways: 


* On their local workstation 
Changes to their local iFolder are synchronized with the Novell iFolder server. 
* Using NetDrive to create a mapped drive to the Novell iFolder server 


* Using NetStorage to access the Novell iFolder server (providing you have enabled 
NetStorage for access to the Novell iFolder server) 


The NetDrive and NetStorage options provide direct access to the data store on the server, 
bypassing the local iFolder. 


For more information, see “Managing iFolder User Accounts" in the Novell iFolder 2.1 Installation 
and Administration Guide. 


35.8.4 Novell iFolder 2.1x Maintenance 
This section summarizes documentation resources to help you maintain Novell iFolder 2.1x. 


Monitoring the Novell iFolder Service Load 


As the Novell iFolder service load increases, you might need to increase the server capacity by 
installing additional RAM or adding disk space. 
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Use the iFolder Management Console to monitor how the server is meeting the needs of your Novell 
iFolder users. For more information, see “Accessing the iFolder System Monitoring Tool” in the 
Novell iFolder 2.1 Installation and Administration Guide. 


Consulting the Novell iFolder Documentation 


Novell iFolder documentation includes the following information: 


Novell iFolder 2.1 Installation and Administration Guide: Provides comprehensive information 
for administrators on configuring and managing Novell iFolder servers in the enterprise 
environment and includes the following: 


* A conceptual overview 
* Scenarios for deployment 
* Planning and management issues 


* [nstructions for using the iFolder Management Console to manage Novell iFolder 


Novell iFolder Quick Start: Introduces the Novell iFolder client and provides information on 
installing and configuring the Novell iFolder client on Windows workstations and laptops. 


Novell iFolder 2.1 User Guide: Provides comprehensive information on installing, managing, 
and using the Novell iFolder client on workstations and laptops and includes the following: 


* A conceptual overview 
* Scenarios for use 
* Instructions for setting Novell iFolder client preferences 


* Information on securely accessing files from a handheld device or using a Web browser 
and Novell NetDrive 


Novell NetDrive 4.1 User Guide: Provides information on installing and using NetDrive 4.1. 


Novell 2.1 Readme: Provides information on known issues for the Novell iFolder server and 
client. 


Novell NetDrive 4.1 Readme: Provides information on known issues for NetDrive 4.1. 


35.9 Novell iFolder 3.x Implementation and 
Maintenance 


The following implementation pointers are provided only as introductory information. To begin 
using Novell iFolder, see the Novell iFolder 3.x Administration Guide. 


35.9.1 Managing Novell iFolder 3.1x 


You manage Novell iFolder through the iFolder Management Console, which you can access 
directly or through iManager. For more information, see *Accessing iManager and the Novell 
iFolder 3 Plug-In" in the Novell iFolder 3.x Administration Guide. 


35.9.2 Configuring Novell iFolder Servers 
Before you let users log in to the Novell iFolder 3.x server, complete the setup tasks in “Configuring 


the iFolder Enterprise Server" (and “Configuring the iFolder Web Access Server" if desired) in the 
Novell iFolder 3.x Administration Guide. 
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35.9.3 Creating and Enabling Novell iFolder 3.x Users 


To provide user access to Novell iFolder 3.x: 


. Provision eDirectory User objects for iFolder 3.x. 


. Enable the User Account Policies for iFolder access. 


1 
2 
3. (Optional) Enable Account Quotas (Space Limits) for the user accounts. 
4. Create iFolders for users. 

5 


. Distribute the iFolder Client to users. 


For more information, see “Managing an iFolder Web Access Server” in the Novell iFolder 3.x 
Administration Guide. 


35.9.4 Novell iFolder 3.x Maintenance 


The following implementation pointers are provided only as introductory information. To begin 
using Novell iFolder, see the Novell iFolder 3.x Administration Guide. 


Managing the Novell iFolder System 


As the Novell iFolder service load increases, you might need to increase the server capacity by 
installing additional RAM or adding disk space and perform other maintenance tasks. For help, see 
the following sections in the Novell iFolder 3.x Administration Guide: 


ec 


* *Managing an iFolder Enterprise Server" 


ec 


* "Managing iFolder Services" 


ec 


* “Managing an iFolder Web Access Server" 


ec 


* "Managing iFolder Users" 


ec 


* “Managing iFolders" 


Consulting the Novell iFolder Documentation 
Novell iFolder documentation includes the following guides: 


* Novell iFolder 3.x Administration Guide: Provides comprehensive information for 
administrators on configuring and managing Novell iFolder servers in the enterprise 
environment and includes the following: 


* A conceptual overview 

* Scenarios for deployment 

* Planning and management issues 

* [nstructions for using the iManager to manage Novell iFolder 3.x 


* iFolder User Guide for Novell iFolder 3.2: Provides comprehensive information on installing, 
managing, and using the Novell iFolder client on workstations and laptops and includes the 
following: 


* A conceptual overview 
* Scenarios for use 


* [nstructions for setting Novell iFolder client preferences 
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* Information on securely accessing files from a handheld device or using a Web browser 
and Novell NetDrive 


* “Novell iFolder 3.2 for Open Enterprise Server SP2 Linux”: Provides information on known 
issues for the Novell iFolder server and client. 


* Novell iFolder 3.x Security Administrator Guide: Provides information for security 
administrators. 


35.10 Samba Implementation and Maintenance 


To use Novell’s implementation of Samba file services on your OES server, you must have installed 
the service using the instructions the OES Linux Installation Guide (for a new installation) or 
installed it after the initial OES installation as explained in “Implementing Samba” in the Samba 
Administration Guide for OES Linux SP2. 


35.10.1 Implementing Samba File Services 


NOTE: If you are new to OES, we recommend the Lab Guide for OES SP2 Linux for an 
introduction to creating and working with eDirectory objects and OES file services, including 
Novell Samba. 


All users whose accounts have been enabled for Samba access can access the OES server as they 
would any Windows server. 


For instructions on implementing Samba, see “Implementing Samba” in the Samba Administration 


Guide for OES Linux SP2. 


35.10.2 Maintaining Samba File Services 


Information on maintaining your Samba installation is found in Appendix G, “Samba Support in 
OES,” on page 259. 
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Print Services 


Novell® Open Enterprise Server (OES) includes Novell iPrint, an easy-to-implement printing 
solution that provides print-anywhere functionality to your network users on Linux, Macintosh, and 
Windows machines. 


This section contains the following information: 


* Section 36.1, “Overview of Print Services," on page 233 

* Section 36.2, "Planning for Print Services," on page 235 

* Section 36.3, “Coexistence and Migration of Print Services," on page 235 
* Section 36.4, "Print Services Implementation Suggestions," on page 235 


* Section 36.5, "Print Services Maintenance Suggestions," on page 237 


36.1 Overview of Print Services 


Novell iPrint lets Linux, Macintosh, and Windows users 


* Quickly locate network printers using their Web browser. 

* Easily install and configure a located printer using their native printer installation method. 

* Print to installed printers from any location (including the Web) using an IP connection. 
The information in this section provides a high-level overview of Novell iPrint print services. It is 
designed to acquaint you with basic iPrint functionality so you will understand 

* The configuration steps you need to perform to provide iPrint print services. 


* How iPrint functions from the user's perspective. 


36.1.1 Using This Overview 


If you already know that you want to provide OES print services for your users and you understand 
how iPrint works, skip the overviews and continue with Section 36.2, “Planning for Print Services,” 
on page 235. 


If you want to learn more about iPrint, continue with this overview section. 


36.1.2 iPrint Components 


A Novell iPrint installation consists of various components, most of which are represented by 
objects in your eDirectory™ tree: 


* Print Driver Store (Linux): This is a repository that stores the drivers on an OES Linux server 
for your network printers. It is the first component you configure and is represented by an 
eDirectory object that you create. 


* Print Broker (NetWare): This is a repository that stores the drivers on an OES NetWare® 
server for your network printers. It is the first component you configure and is represented by 
an eDirectory object that you create. 
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* Printer Drivers: These are the platform-specific printer drivers and PostScript* Printer 
Description (PPD) files that are stored in the Driver Store or Broker and are installed on 
workstations when users select a target printer. Printer drivers and PPD files exist as file 
structures within the Driver Store and Broker and are not represented by objects in eDirectory. 


* Printer Objects: These are eDirectory objects you create that store information about the 
printers available through iPrint. The information stored in an object is used each time its 
associated printer is added to a workstation's list of available printers. 


* Print Manager: This is a daemon that runs on OES Linux or an NLM™ that runs on the OES 
NetWare server. It receives print jobs from users and forwards them to the target printer when it 
is ready. It is represented by and controlled through an eDirectory object that you can 
configure. 

* iPrint Client: This is a set of browser plug-ins. On Macintosh and Windows workstations it is 
automatically installed the first time it interacts with iPrint. On Linux workstations, it must be 
installed manually. The client is required on each platform to navigate through the iPrint Web 
pages, select a target printer, and install the print driver. 


For more information on iPrint, see “Print Services" in the OES online documentation. 


36.1.3 iPrint Functionality 


Figure 36-1 describes how iPrint functions from a user workstation perspective. 
Figure 36-1 How iPrint Works 
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The following table explains the information illustrated in Figure 36-1. 


234 Novell OES SP2 Planning and Implementation Guide 


Access Authentication Printing Services 


The iPrint Client must be installed You can require authentication for Users with the iPrint client 


on each workstation accessing Windows users if needed. The installed and access to the OES 
iPrint services. option to require authentication is server can install printer drivers 
not available for Linux and and print to iPrint printers. 
A user needing to use a printer Macintosh users. 
for the first time accesses the By default, iPrint generates a 
organization's print page on the Although shown separately, printer list for the printers hosted 
Web. eDirectory could be installed on on the server. 
the OES server. 
When the user selects the target A customized Web page lets 
printer, its platform-specific driver users browse to the target printer 
is automatically installed and using location lists and maps that 
configured. you have previously created for 
the site where the printer is 
After printer installation, users located. 
can print to the printer from any 
application. 


36.2 Planning for Print Services 


Consider the following information as you plan your iPrint installation: 
* We recommend that you record your planning decisions on a planning worksheet for future 
reference. 
* iPrint has no additional RAM requirements. 


* Most iPrint installations (even in large enterprises) do not require additional disk space for 
associated print job spooling. 


However, if you anticipate very heavy print usage and want to plan for additional disk space in 
that regard, the iPrint spooler area is located in the /var partition or directory structure on OES 
Linux servers. On NetWare servers, you designate the location when creating the Print 
Manager object. 


* To finish planning your iPrint installation, refer to the information for your server platform: 
* For NetWare: “Novell iPrint Server" in the OES NetWare Installation Guide 
* For Linux: “Novell iPrint" in the OES Linux Installation Guide 


36.3 Coexistence and Migration of Print Services 


See "Printing" in the OES Coexistence and Migration Guide. 


36.4 Print Services Implementation Suggestions 


This section provides only summary implementation information. For complete iPrint 
documentation, see the following: 


* OES iPrint Administration Guide for Linux 
* OES iPrint Administration Guide for NetWare 
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36.4.1 Initial Setup 


After your OES server is installed, you must do the following to complete your iPrint installation: 
1 Create a Driver Store on OES Linux or a Broker on OES NetWare to store the print drivers. 


These eDirectory objects store the drivers for your network printers on Linux and NetWare 
servers, respectively. Each Printer object you create for your network needs to reference a 
printer driver in Driver Store/Broker. When users subsequently install printers, the correct 
drivers for the platform running on their workstation are downloaded from the Driver Store and 
installed. 
You create the Driver Store using iManager. For specific instructions, see the following: 

* For Linux: “Creating a Driver Store" in the OES iPrint Administration Guide for Linux 

* For NetWare: "Creating a Broker" in the OES iPrint Administration Guide for NetWare 


2 Adda printer driver to the Driver Store or Broker for each printer/platform combination 
needed. 


For example, If you have Windows XP, Windows 2000, and Novell Linux Desktop (NLD) 
workstations on your network and you have four different printer types, you need to add four 
printer drivers for each platform (a total of 12 printer drivers) to the Driver Store or Broker. 


You add printer drivers to the store using iManager. For specific instructions, see the following: 
* For Linux: "Updating Printer Drivers" in the OES iPrint Administration Guide for Linux 


* For NetWare: “Adding or Updating Printer Drivers" in the OES iPrint Administration 
Guide for NetWare 


3 Create a Print Manager object. 


The Print Manager receives print jobs from users and forwards them to the target printer when 
it is ready. It must be running for you to create Printer objects. 


The Print Manager is an object you create in eDirectory and is usually started and stopped 
using iManager. 


You create the Print Manager object using iManager. For specific instructions, see the 
following: 


* For Linux: "Creating a Print Manager" in the OES iPrint Administration Guide for Linux 


* For NetWare: "Creating a Print Manager" in the OES iPrint Administration Guide for 
NetWare 


4 Create Printer objects. 


You must create a Printer object for each printer you want users to access through iPrint. These 
objects store information about the printer that is used each time the printer is installed on a 
workstation. 


You create Printer objects using iManager. For specific instructions, see the following: 
* For Linux: “Creating a Printer" in the OES iPrint Administration Guide for Linux 
* For NetWare: "Creating a Printer" in the OES iPrint Administration Guide for NetWare 
5 (Optional) Create location-based, customized printing Web pages. 


By default, each iPrint installation includes the creation of a Default Printer List Web page that 
users can access to install iPrint printers. 
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You have the option of enhancing the browsing experience by creating location-based printing 
Web pages that feature either lists of printers by location, maps of the buildings showing each 
printer, or a combination of both. 


If your organization is located at multiple sites or even in a building with multiple floors, 
providing location-based print Web pages can greatly simplify printing for your users. 


Your iPrint installation contains the iPrint Map Designer to help you easily create location 
maps with clickable printer icons. For more information, see the following: 


* For Linux: “Setting Up Location-Based Printing” in the OES iPrint Administration Guide 
for Linux 


* For NetWare: “Setting Up Location-Based Printing” in the OES iPrint Administration 
Guide for NetWare 


6 Provide instructions to users for accessing iPrint printers. 


After performing the steps above, your network is ready for iPrint functionality. You need only 
tell users how to access your printing Web pages; Novell iPrint does the rest. 


36.4.2 Implementation Caveats 


The Start Here section of this guide documents a few implementation caveats relating to iPrint on 
Linux. See “iPrint on OES Linux” on page 74. 


36.4.3 Other Implementation Tasks 


In addition to the tasks described in Section 36.4.1, “Initial Setup,” on page 236, there are additional 
tasks you might want or need to consider. To see a list of potential tasks, refer to the “Print Services” 
links in the OES online documentation. 


36.5 Print Services Maintenance Suggestions 


As you add printers to your network or move them to different locations, be sure to update your 
iPrint installation to reflect these changes. 


After your installation is completed and users are printing, you can monitor print performance using 
the information located in the following locations: 


* For Linux: “Using the Print Manager Health Monitor” in the OES iPrint Administration Guide 
for Linux 

* For NetWare: “Using the Print Manager Health Monitor” in the OES iPrint Administration 
Guide for NetWare 


For more information on iPrint and its functionality within OES, see the “Print Services” links in the 
online documentation. 
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White Pages (eGuide) 


This section contains the following eGuide information: 


* Section 37.1, “Overview,” on page 239 
* Section 37.2, “Planning,” on page 241 
* Section 37.3, “Implementation Suggestions,” on page 241 


* Section 37.4, "Maintenance Suggestions," on page 241 


37.1 Overview 


eGuide lets you use the information in eDirectory™ to create a “White Pages" directory for your 
organization that users can access from their Web browser. 


You can configure eGuide to publish any information that you choose to store in eDirectory. 


For example, the default eGuide installation in OES lets users search for the names of all eDirectory 
User objects on your system. By default, it lets them see the details for their own User objects that 
are stored in eDirectory, but it doesn't let them modify the eDirectory information. Also, it lets them 
see only the e-mail address attributes associated with other objects. 


You can configure eGuide so that users can see other information for other users in your 
organization, such as their telephone numbers, office locations, job titles, and any other information 
you choose to store in eDirectory. You can also configure eGuide so that users can maintain their 
own information in eDirectory. You can even let them choose the information they want other users 
to be able to access. 
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Figure 37-1 summarizes the eGuide functionality available in OES. 


Figure 37-1 How eGuide Works 
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The following table explains the information illustrated in Figure 37-1. 
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Users Authentication Services 


An eDirectory user named Jose Access to eGuide is controlled Jose searches using the asterisk 
Sanchez logs in to eGuide. through LDAP-based (*) wildcard and sees two entries: 
authentication through the Anita Flores and Jose Sanchez. 


eDirectory LDAP server. 
If he clicks Anita's name, he sees 


Although shown separately, only her e-mail address (by 
eDirectory could be installed on default). 


the OES server. 
On the other hand, Jose can see 


his own information. 


The eGuide administrator can 
configure eGuide so that Jose 
can edit some of his information 
and the changes will be stored in 
eDirectory. 


The administrator can also let 
users search on any object types 
eDirectory, thus letting them find 
the people, places, things, and 
information they need to be 
productive and self-sufficient. 


37.2 Planning 


The planning you do for eGuide should involve the following considerations: 


* Whether you want eGuide available to your users 
* The eDirectory objects you want to expose through eGuide 


* The role you want users to play in accessing and maintaining eDirectory information through 
eGuide 


For more information on planning your eGuide implementation, see “eGuide Product Overview" in 
the Novell eGuide 2.1.2 Administration Guide. 


37.3 Implementation Suggestions 


You can implement your eGuide plans using the information in "Configuring eGuide" and other 
appropriate sections in the Novell eGuide 2.1.2 Administration Guide. 


37.4 Maintenance Suggestions 


As both your organization and your network evolve, you should ensure that eGuide 1s helping you 
achieve your organizational objectives. The information in the Novell eGuide 2.1.2 Administration 
Guide can help you maintain your eGuide implementation. 
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Reference Information 


This section contains the following OES reference materials: 


Appendix A, “Linux Tips for NetWare Administrators,” on page 245 
Appendix B, “Quick Reference to OES User Services,” on page 247 
Appendix C, “Services Supported on Each Platform,” on page 249 
Appendix D, “OES Browser Support,” on page 251 

Appendix E, “OES Linux Service Scripts,” on page 253 

Appendix F, “OES System Users and Groups,” on page 255 
Appendix G, “Samba Support in OES,” on page 259 

Appendix H, “Documentation Updates,” on page 261 
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Linux Tips for NetWare 
Administrators 


The information previously in this section is now contained in a separate guide—Novell OES SP2 
Linux Tips for NetWare Administrators. 
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Quick Reference to OES User 
Services 


Use Table B-1 as a quick reference for providing your network users with instructions for accessing 
each Novell® OES service. 


Table B-1 OES User Services Quick Reference 


services Access Method or URL Notes 


eGuide http://server ip address or dns name/eGuide 


http://server ip address or dns name:443/eGuide 


Novell https://server ip address or dns namelifolder "ifolder" is the default name, but 
iFolder? 3.x this can be customized by the 
Web Access administrator. 

server 

iPrint http://server_ip_address_or_dns_name/ipp 


https://server_ip_address_or_dns_name:443/ipp 


Native File Use the native file access tools on your Linux, 

Access Macintosh, Windows, or UNIX workstation to access 
volumes on OES NetWare that you have the appropriate 
file trustee rights to 


NetStorage http://server_ip_address_or_dns_name/NetStorage 


https://server_ip_address_or_dns_name:443/ 


NetStorage 
Novell 1. Install the Novell Client on a supported Windows 
Client™ workstation. 


2. Log in to eDirectory™. 


3. Access NCP™ volumes on NetWare or Linux that you 
have the appropriate file trustee rights to. 


Novell http://server_ip_address_or_dns_name/iFolder Specifying a secure port is not 
iFolder (2.x) required for a secure HTTP 

https://server_ip_address_or_dns_name/iFolder connection to Novell iFolder. 
Samba Map a network drive in Windows Explorer. 


Create a Web Folder in Internet Explorer. 


Virtual http://server_ip_address_or_dns_namelvo You can specify HTTPS and the 

Office secure port (443) if desired. 
Both URLs establish a secure 
connection with the OES server. 
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Services Supported on Each C 
Platform 


See Table 3-1 on page 34. 
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OES Browser Support 


As a general rule, OES management tools support the following browsers: 


* Mozilla* Firefox* 
* Mozilla.org 1.7.7 


* [nternet Explorer 6 


Table D-1 provides service-specific links and information about browser support in Novell? OES. 


Table D-1 Browser Support in OES 


Management Tool 


eGuide 


Supported Browser Information Link 
* eGuide Administration Utility in "System Requirements" in the 
Novell eGuide 2.1.2 Administration Guide 


* eGuide Client in "System Requirements" in the Novell eGuide 
2.1.2 Administration Guide 


iManager 2.5 


* "Using a Supported Web Browser' in the Novell iManager 2.5 
Administration Guide 


There are rendering differences for some iManager plug-ins between 
Internet Explorer 6 (IE) and Mozilla-based browsers. For example, 
options that are accessed through tabs in IE are sometimes 
accessed through drop-down lists in Firefox. 


iMonitor 


e "System Requirements" in "Using Novell iMonitor 2.1” in the 
Novell eDirectory 8.7.3 Administration Guide 


IP Address Manager (NetWare) 


Same as Novell Remote Manager 


iPrint 


» "Supported Browsers for iPrint" in the OES iPrint Administration 
Guide for Linux 


e "Supported Browsers for iPrint" in the OES iPrint Administration 
Guide for NetWare 


MySQL 4.0 (phpMyAdmin) 
(NetWare9) 


* "Administering MySQL Using phpMyAdmin" in the MySQL for 
NetWare Administration Guide for OES 


Novell iFolder® 2.1x 


* Internet Explorer 6 
* Mozilla 1.7 
* Konqueror (KDE 3.2) 


Novell Remote Manager 


* "System Requirements" in the Novell Remote Manager 
Administration Guide for Linux for OES 


e "System Requirements" in the Novell Remote Manager for 
NetWare Administration Guide for OES 


OpenSSH Manager (NetWare) 


* “Added Functionality” in the OpenSSH Administration Guide 


QuickFinder™ Server Manager 


* "Managing QuickFinder' in the QuickFinder Server 4.2 
Administration Guide 
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Management Tool Supported Browser Information Link 


TCP/IP Configuration (NetWare) Same as Novell Remote Manager 


Tomcat Manager * "Managing Tomcat with Tomcat Admin" in the Tomcat for 
NetWare Administration Guide for OES 
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OES Linux Service Scripts 


Novell® OES services rely on specific service scripts located in /etc/init.d. The scripts used by OES, 
some of which are standard Linux scripts, are listed in Table E-1. 


IMPORTANT: For managing OES services, we strongly recommend using the browser-based tools 
outlined in Section 14.1, “Overview of Management Tools and Interfaces,” on page 91. The 
browser-based tools provide error checking not available at the service-script level, and they ensure 
that management steps happen in the sequence required to maintain service integrity. 


Table E-1 OES Service Scripts in /etc/init.d 


Services Associated with Scripts Script Name Notes 
Apache Web server apache2 The rcapache2 symbolic link, which is by 
default part of the path, can be used to start, 
stop, and restart the Apache Web Server, 
rather than referencing the init script directly. 
eDirectory™ nd This lets you start and stop eDirectory. It 
executes the /usr/sbin/ndsd binary. 
eDirectory LDAP support nidap This lets you load and unload the LDAP library 
that Novell eDirectory uses to provide LDAP 
support. It is not actually a service. 
eDirectory SLP support slpd 
eDirectory SNMP support ndssnmpsa 
Health Monitoring (OpenWBEM owcimomd 
CIMOM) 
iPrint novell-idsd 
novell-ipsmd 
Linux User Management namcd 
nscd 
NetStorage (XTier) novell-xregd 
novell-xsrvd 
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Services Associated with Scripts 


Novell Cluster Services™ (NCS) 


Script Name Notes 


novell-ncs NCS uses some shell scripts and utilities that 
come with the heartbeat package. For 
example, NCS uses a binary called send_arp 
to send out ARP packets when a secondary 
address is bound. 


NCS never runs the heartbeat daemons. In 
fact, NCS and heartbeat are mutually 
exclusive when it comes to execution, and 
heartbeat must always be configured to not 
run (chkconfig heartbeat off) when NCS is 
loaded on the server. 


Novell iFolder® 2.x 


novell-ifolder 


Novell Remote Manager (NRM) 


novell-httpstkd ^ This script runs by default on every OES Linux 
server and enables access to NRM for Linux 
through a browser. 


Use this script followed by the status option to 
view current status. Or use stop, start, or 
restart options to alter the run state of the NRM 
daemon as needed. 


Novell Storage Services ™ novell-nss 
Red Carpet? rcd 

Samba smb 

Samba CIFS support smbfs 
Storage Management Services™ novell-smdrd 


Tomcat 


novell-tomcat4 


(Other system services—do not run 
manually.) 


post ndsd start 
post ndsd stop 
pre ndsd start 


pre ndsd stop 
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OES System Users and Groups 


Novell® OES adds specific user and group accounts to the Linux system and to eDirectory™ for 
OES service use. The accounts are created without passwords, so they are immune from login 
attacks of any kind. 


The following sections summarize the Linux and eDirectory users and groups that the OES 
installation creates. Additional system-level users and groups might be created as you configure and 
administer OES services. 


F.1 System Users Created on Linux 


Table F-1 System Linux Users 


Username Entry in /etc/passwd pps te 

iprint iprint:x: UID: GID::/var/opt/novell/iprint:/shell iPrint daemons 

novell nobody novell_nobody:x:U/D:G/D:Novell System User:/opt/novell:/shell CIMOM 

novlifdr' novlifdr:x: UID: GID:Novell iFolder System User:/var/lib/ifolder:/shell ^ Novell iFolder? 
2.X 


1 


noviwww noviwww:x: UID: GID:Novell System User:/var/opt/novell/noviwww:/ Tomcat4 


shell 
(Tomcat5 runs as 


tomcat.) 


novixregd' novixregd:x:U/D:G/D:Novell XRegD System User:/var/opt/novell/ XTier registry 
xtier/xregd:/shell daemon 


novixsrvd' novixsrvd:x: UID: GID:Novell XSrvD System User:/var/opt/novell/xtier/ XTier service 
xsrvd:/shell 


wwwrun wwwrun:x: U/D:G/D: WWW daemon apache:/var/lib/wwwrun:/shell Apache 


! When Novell Storage Services™ (NSS) is installed on the Linux server, these users are removed 
from the local system and created as LUM-enabled users in eDirectory. This is required because 
these users must have access to NSS data, and all NSS access is controlled through eDirectory. 


For more information on /etc/passwd, refer to the passwd man page (man 5 passwd). 
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F.2 System Users Created in eDirectory 


Table F-2 System eDirectory Users 


Username 


Admin_Name 


eDirectory Context 


Admin_context specified 


during installation. 


Purpose 


The eDirectory administrator is created with a 
new tree and has all rights to manage the tree. 
The name of this user is specified during 
installation (default is Admin). 


eGuidePublicUser### 


Admin_context 


This User object lets users without 
administrative rights log in and use eGuide. 


iFolderProxy### specified during installation This User object is used to browse eDirectory 
for iFolder 3 users. 
NFAUUser Admin_context This User object is used to browse, create, 


and update eDirectory objects on behalf of 
NIS (Yellow Pages). 


server_nameadmin 


Admin_context 


This User object is used by NSS to read user 
objects, and to maintain volume, pool, and 
other storage system objects. 


publicUser 


VirtualOffice.Admin_context 


Provides for contextless login for Virtual Office 
users by browsing eDirectory (LDAP) for 
matching CNs. If multiple CNs are found, the 
user chooses which to use. 


F.3 System Groups Created on Linux 


Table F-3 System Linux Groups 


Groupname Entry in /etc/group Purpose 
ifdrwww" ifdrwww:!:GID: Novell iFolder? 2.x runs as this group. 
iprint iprint:!:G/D: The iPrint daemons run as this group. 


novell_nogroup 


novell_nogroup:!:G/D: 


CIMOM runs as this group. 


novlxtier' novixtier:!:G/D:wwwrun Both novixregd and novixsrvd run as this 
group. 
Apache (wwwrun) is a group member because 
it needs XTier socket access. 

shadow shadow:x:G/D:noviwww QuickFinder™ requires this system group. 
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noviwww is a member of this group. 


Groupname Entry in /etc/group 


1 


www www:x:GID:novlxsrvd,admin 


Purpose 


Apache (wwwrun) and tomcat4 (noviwww) run 
as this group. 


QuickFinder requires that user Admin 
(eDirectory) belong to this group. 


User novixsrvd is in the group because it 
needs access to an Apache domain socket. 


! When Novell Storage Services (NSS) is installed on the Linux server, these groups are removed 
from the local system and created as LUM-enabled groups in eDirectory. This is required because 
members of these groups must have access to NSS data, and all NSS access is controlled through 


eDirectory. 


For more information on /etc/group, refer to the group man page (man 5 group). 


F.4 System Groups Created in eDirectory 


Table F-4 System eDirectory Group 


Groupname eDirectory Context 


admin Tomcat-Roles.Admin context 


Purpose 


This group is created by the Tomcat 4 
application on OES NetWare servers. It 
contains users who are allowed to use the 
Tomcat Admin utility on NetWare. For more 
information on Tomcat Admin, see 
"Managing Tomcat with Tomcat Admin" in 
the Tomcat for NetWare Administration 
Guide for OES. 


apchadmn-Administrators Admin context 


This group is created by the Apache 
Manager application on OES NetWare 
servers. It contains users who are allowed 
to use the Apache Manager application to 
manage the Apache Web server on 
NetWare. 


DNSDHCP-GROUP Admin context 


This group is created when you install DNS/ 
DHCP Services on OES NetWare. The 
DNS and DHCP servers gain rights to DNS 
and DHCP data within the tree through this 
Group object. 


manager Tomcat-Roles.Admin context 


This group is created by the Tomcat 4 
application on OES NetWare servers. It 
contains users who are allowed to use the 
Tomcat Manager utility on NetWare. For 
more information on Tomcat Manager, see 
"Managing Web Applications and Servlets" 
in the Tomcat for NetWare Administration 
Guide for OES. 
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Groupname eDirectory Context 


NFAUWorld Admin_context 


Purpose 


This Group object is initially created with 
the Server object. Its effective rights to the 
file system are used to compute and set the 
rwx rights of UNIX users accessing a 
NetWare file system. 


sshadmn-Administrators | Admin context 
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This group is created by the OpenSSH 
application on OES NetWare servers. It 
contains users who are allowed to manage 
the OpenSSH server on NetWare. 


Samba Support in OES 


This section has been updated and moved to a separate guide, the Samba Administration Guide for 
OES Linux SP2. 
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Documentation Updates 


This section summarizes the changes made to this manual since the initial release of Novell® Open 


Enterprise Server. 


H.1 October 25, 2006 


Chapter or Section Changed 


Section 1.2.1, “NetWare 6.5 Support Pack 
6,” on page 19 


Various 


Summary of Changes 


Added information about changes introduced with NetWare 
6.5 SP6. 


Updated information to reflect the change to NetWare 6.5 
SP6. 


H.2 September 11, 2006 


Chapter or Section Changed 


Section 16.1, “Using Identity Manager 
3.0.1 Bundle Edition,” on page 111 


Chapter 28, “Licensing,” on page 157 


H.3 June 28, 2006 


Chapter or Section Changed 


Section 10.4, “Samba,” on page 77 


H.4 June 9, 2006 


Chapter or Section Changed 


Virtual Office 1.6.1 upgrade released. 


Summary of Changes 


Replaced information on IDM 2 with IDM 3 to reflect change 
to which IDM product can be downloaded in connection with 
OES. 


Corrected cross references throughout the guide. 


Updated the section to reflect the recent alignment of 
licensing for both platforms. The only restriction is the 
number of user connections, not the number of servers 
running OES services. 


Summary of Changes 


Added a link to the Samba Administration Guide that was 
missing after the May 26th release. 


Summary of Changes 


VO was not included in OES SP2. It is now available on the 
Web and all applicable sections and statements have been 
updated. 
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H.5 May 26, 2006 


Chapter or Section Changed 


Samba Support in OES. 


H.6 May 5, 2006 


Chapter or Section Changed 


“Services in OES Linux That Require 
Linux-Enabled Access” on page 119 


“Refreshing the User List in the KDE Login 
Screen" on page 125 


"Aligning NCP and POSIX File Access 
Rights" on page 220 


"Implementing Samba File Services" on 
page 231 


H.7 April 3, 2006 


Chapter or Section Changed 
"Services in OES Linux That Require 


Linux-Enabled Access" on page 119 


Methods for Creating Home Directories 
and Enabling Access for Samba Users. 


Summary of Changes 


Entire section reworked and moved to a new guide, the 
Samba Administration Guide for OES Linux SP2. 


Summary of Changes 


Added SMS to the list. 


New section. 


New section that also includes information that was in the 
Samba documentation. 


Replaced most of the information with a link to the Samba 
section. 


Summary of Changes 


Added clarification that Samba is not a PAM-enabled 
service and logging in through Samba will not create home 
directories. 


Added clarification that Samba is not a PAM-enabled 
service and logging in through Samba will not create home 
directories. 


H.8 February 28, 2006 


Chapter or Section Changed 


"Links to Product Security Considerations 
Sections" on page 167 
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Summary of Changes 


Added more links to security sections in the OES 
documentation set. 


H.9 February 23, 2006 


Chapter or Section Changed Summary of Changes 
“Nsure® Audit" on page 35 Updated OES Linux auditing availability information. 
"Auditing" on page 129 


H.10 January 19, 2006 


Chapter or Section Changed Summary of Changes 
Section 4.3.3, "Downloading OES Revised the download instructions to provide a more reliable 


Software from the Novell Web Site," on path for getting SP2 files, the SLES activation code, etc. 
page 51 


H.11 January 17, 2006 


Chapter or Section Changed Summary of Changes 

Section 4.3.3, “Downloading OES Updated download instructions for SP2 release. 
Software from the Novell Web Site,” on 

page 51 


H.12 December 23, 2005 


Chapter or Section Changed Summary of Changes 


Various Updated references to OES SP1. 


Statements that reflected changes in SP1 now refer to OES 
SP1 and later. Statements that apply to all OES versions 
now simply refer to OES. 


Table 3-1, “OES Services Available on Added information about AFP, CIFS, and NFS file protocols. 
OES LINUX and OES NetWare,” on 
page 34 


Section 8.1, “OES Linux,” on page 65 Removed the statement that the Red Carpet® GUI is not 
supported. 


File Trustee Rights Changes Do Not Affect Added explanation that Samba treats rights changes in the 
Current Samba Connections. same way as Windows. This is different from NFAP and has 
caused some confusion. 
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H.13 November 1, 2005 


Chapter or Section Changed 


Entire Guide 


Summary of Changes 


Page design reformatted to comply with revised Novell 
documentation standards. 


H.14 October 4, 2005 


Chapter or Section Changed 


Section 5.1.5, “iFolder 3.x Considerations,” 
on page 56 


Summary of Changes 


Added this section. 


Table D-1 on page 251 


Added information regarding rendering differences between 
Internet Explorer and Mozilla-based browsers. 


H.15 September 19, 2005 


Chapter or Section Changed 


Section , “Novell Cluster Services (Linux),” 
on page 24 


Summary of Changes 


Revised the list of features as directed by product 
management. 


H.16 September 7, 2005 


Chapter or Section Changed 


Section 4.3, “Evaluating OES Software,” 
on page 50 


Summary of Changes 


Revised the information and instructions to reflect changes 
to the download process. 


H.17 August 31, 2005 (Support Pack One) 


Chapter or Section Changed 


Chapter 1, “What's New,” on page 19 


Summary of Changes 


New Section 


Figure 2-5 on page 31 


Updated to reflect new services organization 


Table 3-1 on page 34 


Updated service information 


Section 3.4.2, “Service Differences on the 
OES Platforms,” on page 38 


Updated to reflect current service mix 


Section 3.11.4, “Use Predefined Server 
Types (Patterns) When Possible,” on 
page 46 
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Updated explanations 


Chapter or Section Changed 


“Getting and Preparing OES Software” on 
page 49 


Summary of Changes 


Updated the explanation to reflect changes in distribution of 
OES 


Section 5.1, “Installation/Upgrade/ 
Migration Caveats,” on page 55 


New section 


Chapter 6, “Upgrading to OES,” on 
page 61 


New chapter 


Chapter 7, “Migrating/Consolidating 
Existing Servers and Data,” on page 63 


New chapter 


Chapter 8, “Updating/Patching OES 
Servers,” on page 65 


New chapter 


Chapter 9, “Adding OES Services to OES 
Servers,” on page 67 


Updated 


Section 10.3.3, “iPrint,” on page 74 


Two caveats added 


Section 10.3.4, “NCP Server (OES Linux),” 


on page 75 


New section 


Section 10.3.5, “NSS (OES Linux),” on 
page 75 


Caveats added 


Section 11.2, “Coexistence and Migration,” 


on page 81 


Added link to section in this guide 


Section 12.2, “Coexistence and Migration 
of NetWare Services,” on page 83 


Added link to section in this guide 


Section 12.2, “Coexistence and Migration 
of NetWare Services,” on page 83 


Added link to section in this guide 


Chapter 16, “Identity Management 
Services,” on page 111 


Added bullet list at beginning of chapter 


Section 18.1.1, “A Graphical Preview of 
Linux User Management,” on page 118 


Modified explanation below illustration 


Section 18.1.6, “Services That Do Not 
Require Linux-Enabled Access but Have 
Some LUM Requirements,” on page 121 


Modified explanations 


Section 18.4, “LUM Implementation 


Modified explanations because of iManager plug-in 


Suggestions,” on page 122 changes 
Section 28.1, “The OES Licensing Model,” New section 
on page 157 

Section 30.5, “Comparing the Linux and New section 


the NetWare Core Protocol (NCP) File 
Security Models,” on page 164 


Section 33.1.5, “Novell Client (NCP File 
Services),” on page 192 


Added new headings and link to information about Linux 
client 


Section 33.5.3, “NSS (and NetWare) File 
and Directory Trustee Management,” on 
page 198 


Added new sections for changing file and directory 
attributes 
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Chapter or Section Changed 


Section 35.1.6, “Novell iFolder 3.1,” on 
page 215 


Summary of Changes 


New section 


Table 35-1 on page 217 


Added iFolder 3.x entry 


Section 35.2.2, “Planning Your File 
Services,” on page 218 


Added iFolder 3.x entries 


Section 35.2.2, “Planning Your File 
Services,” on page 218 


Added iFolder 3.x entries 


Section 35.9, “Novell iFolder 3.x 
Implementation and Maintenance,” on 
page 229 


New section 


Table E-1 on page 253 


Added note entries 


Section F.2, “System Users Created in 
eDirectory,” on page 256 


Updated information 


Section F.4, “System Groups Created in 
eDirectory,” on page 257 


Updated information 


Overview of Samba 


Updated information 


Samba and NSS Volumes 


New section 


Section 30.5, “Comparing the Linux and 
the NetWare Core Protocol (NCP) File 
Security Models,” on page 164 


New section 


Creating and Enabling Samba Users and 


Groups in iManager 


Extensive changes to reflect iManager plug-in changes 


Samba Access Vs. NCP Access 


H.18 July 11, 2005 


New section 


Chapter or Section Changed Summary of Changes 


All Fixed broken links to OES online documentation. 


H.19 June 1, 2005 


Chapter or Section Changed Summary of Changes 


All Made copy edit changes. 
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